diff --git a/decrypt_oracle/.chalice/pipeline.py b/decrypt_oracle/.chalice/pipeline.py index 0eb3889fd..45e050a2d 100644 --- a/decrypt_oracle/.chalice/pipeline.py +++ b/decrypt_oracle/.chalice/pipeline.py @@ -37,7 +37,7 @@ def __init__(self, *args, **kwargs): """Set up override values.""" my_kwargs = dict(Effect=AWS.Allow, Resource=["*"]) my_kwargs.update(kwargs) - super(AllowEverywhere, self).__init__(*args, **my_kwargs) + super().__init__(*args, **my_kwargs) def _service_assume_role(service: str) -> AWS.Policy: diff --git a/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/key_providers/counting.py b/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/key_providers/counting.py index dc754aeca..da6c74cfc 100644 --- a/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/key_providers/counting.py +++ b/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/key_providers/counting.py @@ -30,7 +30,7 @@ class CountingMasterKeyConfig(MasterKeyConfig): def __init__(self) -> None: """Set the key id to "test_counting_prov_info".""" - super(CountingMasterKeyConfig, self).__init__(key_id=b"test_counting_prov_info") + super().__init__(key_id=b"test_counting_prov_info") class CountingMasterKey(MasterKey): diff --git a/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/key_providers/null.py b/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/key_providers/null.py index b72705d75..3eb90b3b9 100644 --- a/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/key_providers/null.py +++ b/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/key_providers/null.py @@ -26,7 +26,7 @@ class NullMasterKeyConfig(MasterKeyConfig): def __init__(self) -> None: """Set the key id to "null".""" - super(NullMasterKeyConfig, self).__init__(key_id=b"null") + super().__init__(key_id=b"null") class NullMasterKey(MasterKey): diff --git a/decrypt_oracle/src/pylintrc b/decrypt_oracle/src/pylintrc index 78463742c..8dcba5d63 100644 --- a/decrypt_oracle/src/pylintrc +++ b/decrypt_oracle/src/pylintrc @@ -3,7 +3,6 @@ disable = bad-continuation, # we let black handle this ungrouped-imports, # we let isort handle this - useless-object-inheritance, # we need to support Python 2, so no, not useless [FORMAT] max-line-length = 120 diff --git a/decrypt_oracle/test/integration/integration_test_utils.py b/decrypt_oracle/test/integration/integration_test_utils.py index 6f37bd6d2..1fd08fc08 100644 --- a/decrypt_oracle/test/integration/integration_test_utils.py +++ b/decrypt_oracle/test/integration/integration_test_utils.py @@ -38,13 +38,13 @@ def decrypt_endpoint() -> Text: try: deployment_id = os.environ[DEPLOYMENT_ID] region = os.environ[DEPLOYMENT_REGION] - except KeyError: + except KeyError as error: raise ValueError( ( 'Environment variables "{region}" and "{deployment}" ' "must be set to the correct values for the deployed decrypt oracle." ).format(region=DEPLOYMENT_REGION, deployment=DEPLOYMENT_ID) - ) + ) from error _ENDPOINT = "https://{deployment_id}.execute-api.{region}.amazonaws.com/api/v0/decrypt".format( deployment_id=deployment_id, region=region @@ -56,12 +56,12 @@ def get_cmk_arn() -> Text: """Retrieve the target CMK ARN from environment variable.""" try: arn = os.environ[AWS_KMS_KEY_ID] - except KeyError: + except KeyError as error: raise ValueError( 'Environment variable "{}" must be set to a valid KMS CMK ARN for integration tests to run'.format( AWS_KMS_KEY_ID ) - ) + ) from error if arn.startswith("arn:") and ":alias/" not in arn: return arn diff --git a/examples/src/keyring/multi/aws_kms_with_escrow.py b/examples/src/keyring/multi/aws_kms_with_escrow.py index 90b57def4..79873b29f 100644 --- a/examples/src/keyring/multi/aws_kms_with_escrow.py +++ b/examples/src/keyring/multi/aws_kms_with_escrow.py @@ -69,7 +69,7 @@ def run(aws_kms_cmk, source_plaintext): # # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html#use-raw-rsa-keyring key_namespace="some managed raw keys", - key_name=b"my RSA wrapping key", + key_name="my RSA wrapping key", public_wrapping_key=public_key, # The wrapping algorithm tells the raw RSA keyring # how to use your wrapping key to encrypt data keys. @@ -83,7 +83,7 @@ def run(aws_kms_cmk, source_plaintext): escrow_decrypt_keyring = RawRSAKeyring( # The key namespace and key name MUST match the encrypt keyring. key_namespace="some managed raw keys", - key_name=b"my RSA wrapping key", + key_name="my RSA wrapping key", private_wrapping_key=private_key, # The wrapping algorithm MUST match the encrypt keyring. wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, diff --git a/examples/src/keyring/raw_aes/raw_aes.py b/examples/src/keyring/raw_aes/raw_aes.py index 57b5c3487..54eb83341 100644 --- a/examples/src/keyring/raw_aes/raw_aes.py +++ b/examples/src/keyring/raw_aes/raw_aes.py @@ -44,7 +44,7 @@ def run(source_plaintext): # # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html#use-raw-aes-keyring key_namespace="some managed raw keys", - key_name=b"my AES wrapping key", + key_name="my AES wrapping key", wrapping_key=key, ) diff --git a/examples/src/keyring/raw_rsa/keypair.py b/examples/src/keyring/raw_rsa/keypair.py index f053b75a3..125cf8b97 100644 --- a/examples/src/keyring/raw_rsa/keypair.py +++ b/examples/src/keyring/raw_rsa/keypair.py @@ -54,7 +54,7 @@ def run(source_plaintext): # # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html#use-raw-rsa-keyring key_namespace="some managed raw keys", - key_name=b"my RSA wrapping key", + key_name="my RSA wrapping key", private_wrapping_key=private_key, public_wrapping_key=private_key.public_key(), # The wrapping algorithm tells the raw RSA keyring diff --git a/examples/src/keyring/raw_rsa/keypair_from_pem.py b/examples/src/keyring/raw_rsa/keypair_from_pem.py index 2ec7a6ba1..972f78f1c 100644 --- a/examples/src/keyring/raw_rsa/keypair_from_pem.py +++ b/examples/src/keyring/raw_rsa/keypair_from_pem.py @@ -70,7 +70,7 @@ def run(source_plaintext): # # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html#use-raw-rsa-keyring key_namespace="some managed raw keys", - key_name=b"my RSA wrapping key", + key_name="my RSA wrapping key", private_encoded_key=private_key_pem, public_encoded_key=public_key_pem, # The wrapping algorithm tells the raw RSA keyring diff --git a/examples/src/keyring/raw_rsa/public_private_key_separate.py b/examples/src/keyring/raw_rsa/public_private_key_separate.py index dcda39cb9..eecdeb8d2 100644 --- a/examples/src/keyring/raw_rsa/public_private_key_separate.py +++ b/examples/src/keyring/raw_rsa/public_private_key_separate.py @@ -69,7 +69,7 @@ def run(source_plaintext): # # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html#use-raw-rsa-keyring key_namespace="some managed raw keys", - key_name=b"my RSA wrapping key", + key_name="my RSA wrapping key", public_wrapping_key=public_key, # The wrapping algorithm tells the raw RSA keyring # how to use your wrapping key to encrypt data keys. @@ -83,7 +83,7 @@ def run(source_plaintext): private_key_keyring = RawRSAKeyring( # The key namespace and key name MUST match the encrypt keyring. key_namespace="some managed raw keys", - key_name=b"my RSA wrapping key", + key_name="my RSA wrapping key", private_wrapping_key=private_key, # The wrapping algorithm MUST match the encrypt keyring. wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, diff --git a/src/aws_encryption_sdk/__init__.py b/src/aws_encryption_sdk/__init__.py index 88da93d25..dcb5b6879 100644 --- a/src/aws_encryption_sdk/__init__.py +++ b/src/aws_encryption_sdk/__init__.py @@ -28,10 +28,10 @@ def encrypt(**kwargs): When using this function, the entire ciphertext message is encrypted into memory before returning any data. If streaming is desired, see :class:`aws_encryption_sdk.stream`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 The *keyring* parameter. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 For backwards compatibility, the new :class:`CryptoResult` return value also unpacks like a 2-member tuple. @@ -80,16 +80,15 @@ def encrypt(**kwargs): :param algorithm: Algorithm to use for encryption :type algorithm: aws_encryption_sdk.identifiers.Algorithm :param int frame_length: Frame length in bytes - :returns: Encrypted message, message metadata (header), and keyring trace + :returns: Encrypted message and message metadata (header) :rtype: CryptoResult """ with StreamEncryptor(**kwargs) as encryptor: ciphertext = encryptor.read() header_copy = copy.deepcopy(encryptor.header) - keyring_trace_copy = copy.deepcopy(encryptor.keyring_trace) - return CryptoResult(result=ciphertext, header=header_copy, keyring_trace=keyring_trace_copy) + return CryptoResult(result=ciphertext, header=header_copy) def decrypt(**kwargs): @@ -99,10 +98,10 @@ def decrypt(**kwargs): When using this function, the entire ciphertext message is decrypted into memory before returning any data. If streaming is desired, see :class:`aws_encryption_sdk.stream`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 The *keyring* parameter. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 For backwards compatibility, the new :class:`CryptoResult` return value also unpacks like a 2-member tuple. @@ -142,16 +141,15 @@ def decrypt(**kwargs): :param int max_body_length: Maximum frame size (or content length for non-framed messages) in bytes to read from ciphertext message. - :returns: Decrypted plaintext, message metadata (header), and keyring trace + :returns: Decrypted plaintext and message metadata (header) :rtype: CryptoResult """ with StreamDecryptor(**kwargs) as decryptor: plaintext = decryptor.read() header_copy = copy.deepcopy(decryptor.header) - keyring_trace_copy = copy.deepcopy(decryptor.keyring_trace) - return CryptoResult(result=plaintext, header=header_copy, keyring_trace=keyring_trace_copy) + return CryptoResult(result=plaintext, header=header_copy) def stream(**kwargs): diff --git a/src/aws_encryption_sdk/exceptions.py b/src/aws_encryption_sdk/exceptions.py index 3c58dcea1..2c77f5839 100644 --- a/src/aws_encryption_sdk/exceptions.py +++ b/src/aws_encryption_sdk/exceptions.py @@ -43,13 +43,6 @@ class InvalidDataKeyError(AWSEncryptionSDKClientError): """Exception class for Invalid Data Keys.""" -class InvalidKeyringTraceError(AWSEncryptionSDKClientError): - """Exception class for invalid Keyring Traces. - - .. versionadded:: 1.5.0 - """ - - class InvalidProviderIdError(AWSEncryptionSDKClientError): """Exception class for Invalid Provider IDs.""" diff --git a/src/aws_encryption_sdk/identifiers.py b/src/aws_encryption_sdk/identifiers.py index 269afd702..e3c13c1ea 100644 --- a/src/aws_encryption_sdk/identifiers.py +++ b/src/aws_encryption_sdk/identifiers.py @@ -14,7 +14,6 @@ import struct from enum import Enum -import attr from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa from cryptography.hazmat.primitives.ciphers import algorithms, modes @@ -329,27 +328,3 @@ class ContentAADString(Enum): FRAME_STRING_ID = b"AWSKMSEncryptionClient Frame" FINAL_FRAME_STRING_ID = b"AWSKMSEncryptionClient Final Frame" NON_FRAMED_STRING_ID = b"AWSKMSEncryptionClient Single Block" - - -class KeyringTraceFlag(Enum): - """KeyRing Trace actions.""" - - @attr.s - class KeyringTraceFlagValue(object): - """Keyring trace flags do not have defined serializable values.""" - - name = attr.ib() - - #: A flag to represent that a keyring has generated a plaintext data key. - GENERATED_DATA_KEY = KeyringTraceFlagValue("GENERATED_DATA_KEY") - #: A flag to represent that a keyring has created an encrypted data key. - ENCRYPTED_DATA_KEY = KeyringTraceFlagValue("ENCRYPTED_DATA_KEY") - #: A flag to represent that a keyring has obtained - #: the corresponding plaintext data key from an encrypted data key. - DECRYPTED_DATA_KEY = KeyringTraceFlagValue("DECRYPTED_DATA_KEY") - #: A flag to represent that the keyring has cryptographically - #: bound the encryption context to a newly created encrypted data key. - SIGNED_ENCRYPTION_CONTEXT = KeyringTraceFlagValue("SIGNED_ENCRYPTION_CONTEXT") - #: A flag to represent that the keyring has verified that an encrypted - #: data key was originally created with a particular encryption context. - VERIFIED_ENCRYPTION_CONTEXT = KeyringTraceFlagValue("VERIFIED_ENCRYPTION_CONTEXT") diff --git a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py index f6340af65..5309166cf 100644 --- a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py +++ b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 """Keyring for use with AWS Key Management Service (KMS). -.. versionadded:: 1.5.0 +.. versionadded:: 2.0.0 """ import logging @@ -17,7 +17,7 @@ from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.keyrings.multi import MultiKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, KeyringTraceFlag, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey from .client_suppliers import DefaultClientSupplier @@ -25,6 +25,7 @@ try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Dict, Iterable, Union # noqa pylint: disable=unused-import + from .client_suppliers import ClientSupplierType # noqa pylint: disable=unused-import except ImportError: # pragma: no cover # We only actually need these imports when running the mypy checks @@ -33,9 +34,6 @@ __all__ = ("AwsKmsKeyring", "KEY_NAMESPACE") _LOGGER = logging.getLogger(__name__) -_GENERATE_FLAGS = {KeyringTraceFlag.GENERATED_DATA_KEY} -_ENCRYPT_FLAGS = {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT} -_DECRYPT_FLAGS = {KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT} #: Key namespace used for all encrypted data keys created by the KMS keyring. KEY_NAMESPACE = "aws-kms" @@ -77,7 +75,7 @@ class AwsKmsKeyring(Keyring): .. _discovery mode: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html#kms-keyring-discovery - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param ClientSupplier client_supplier: Client supplier that provides AWS KMS clients (optional) :param bool is_discovery: Should this be a discovery keyring (optional) @@ -165,7 +163,7 @@ class _AwsKmsSingleCmkKeyring(Keyring): This keyring should never be used directly. It should only ever be used internally by :class:`AwsKmsKeyring`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param str key_id: CMK key ID :param ClientSupplier client_supplier: Client supplier to use when asking for clients @@ -181,7 +179,6 @@ class _AwsKmsSingleCmkKeyring(Keyring): def on_encrypt(self, encryption_materials): # type: (EncryptionMaterials) -> EncryptionMaterials - trace_info = MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id) new_materials = encryption_materials try: if new_materials.data_encryption_key is None: @@ -192,10 +189,7 @@ def on_encrypt(self, encryption_materials): algorithm=new_materials.algorithm, grant_tokens=self._grant_tokens, ) - new_materials = new_materials.with_data_encryption_key( - data_encryption_key=plaintext_key, - keyring_trace=KeyringTrace(wrapping_key=trace_info, flags=_GENERATE_FLAGS), - ) + new_materials = new_materials.with_data_encryption_key(data_encryption_key=plaintext_key) else: encrypted_key = _do_aws_kms_encrypt( client_supplier=self._client_supplier, @@ -206,13 +200,13 @@ def on_encrypt(self, encryption_materials): ) except Exception: # pylint: disable=broad-except # We intentionally WANT to catch all exceptions here - message = "Unable to generate or encrypt data key using {}".format(trace_info) + message = "Unable to generate or encrypt data key using {}".format( + MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id) + ) _LOGGER.exception(message) raise EncryptKeyError(message) - return new_materials.with_encrypted_data_key( - encrypted_data_key=encrypted_key, keyring_trace=KeyringTrace(wrapping_key=trace_info, flags=_ENCRYPT_FLAGS) - ) + return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_key) def on_decrypt(self, decryption_materials, encrypted_data_keys): # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials @@ -243,7 +237,7 @@ class _AwsKmsDiscoveryKeyring(Keyring): This keyring should never be used directly. It should only ever be used internally by :class:`AwsKmsKeyring`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param ClientSupplier client_supplier: Client supplier to use when asking for clients :param List[str] grant_tokens: AWS KMS grant tokens to include in requests (optional) @@ -284,7 +278,7 @@ def _try_aws_kms_decrypt(client_supplier, decryption_materials, grant_tokens, en Any errors encountered are caught and logged. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ try: @@ -300,10 +294,7 @@ def _try_aws_kms_decrypt(client_supplier, decryption_materials, grant_tokens, en _LOGGER.exception("Unable to decrypt encrypted data key from %s", encrypted_data_key.key_provider) return decryption_materials - return decryption_materials.with_data_encryption_key( - data_encryption_key=plaintext_key, - keyring_trace=KeyringTrace(wrapping_key=encrypted_data_key.key_provider, flags=_DECRYPT_FLAGS), - ) + return decryption_materials.with_data_encryption_key(data_encryption_key=plaintext_key) def _do_aws_kms_decrypt(client_supplier, key_name, encrypted_data_key, encryption_context, grant_tokens): @@ -312,7 +303,7 @@ def _do_aws_kms_decrypt(client_supplier, key_name, encrypted_data_key, encryptio Any errors encountered are passed up the chain without comment. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ region = _region_from_key_id(encrypted_data_key.key_provider.key_info.decode("utf-8")) @@ -359,7 +350,7 @@ def _do_aws_kms_generate_data_key(client_supplier, key_name, encryption_context, Any errors encountered are passed up the chain without comment. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ region = _region_from_key_id(key_name) @@ -382,7 +373,7 @@ def _region_from_key_id(key_id): If the region cannot be found, ``None`` is returned instead. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ parts = key_id.split(":", 4) diff --git a/src/aws_encryption_sdk/keyrings/raw.py b/src/aws_encryption_sdk/keyrings/raw.py index ddb07fb03..d352224ee 100644 --- a/src/aws_encryption_sdk/keyrings/raw.py +++ b/src/aws_encryption_sdk/keyrings/raw.py @@ -1,6 +1,7 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """Resources required for Raw Keyrings.""" +import codecs import logging import os @@ -12,14 +13,15 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey from aws_encryption_sdk.exceptions import EncryptKeyError, GenerateKeyError -from aws_encryption_sdk.identifiers import EncryptionKeyType, KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import EncryptionKeyType, WrappingAlgorithm from aws_encryption_sdk.internal.crypto.wrapping_keys import EncryptedData, WrappingKey +from aws_encryption_sdk.internal.defaults import ENCODING from aws_encryption_sdk.internal.formatting.deserialize import deserialize_wrapped_key from aws_encryption_sdk.internal.formatting.serialize import serialize_raw_master_key_prefix, serialize_wrapped_key from aws_encryption_sdk.key_providers.raw import RawMasterKey from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Iterable # noqa pylint: disable=unused-import @@ -55,15 +57,10 @@ def _generate_data_key( _LOGGER.exception(error_message) raise GenerateKeyError("Unable to generate data encryption key.") - # Create a keyring trace - keyring_trace = KeyringTrace(wrapping_key=key_provider, flags={KeyringTraceFlag.GENERATED_DATA_KEY}) - # plaintext_data_key to RawDataKey data_encryption_key = RawDataKey(key_provider=key_provider, data_key=plaintext_data_key) - return encryption_materials.with_data_encryption_key( - data_encryption_key=data_encryption_key, keyring_trace=keyring_trace - ) + return encryption_materials.with_data_encryption_key(data_encryption_key=data_encryption_key,) @attr.s @@ -71,10 +68,14 @@ class RawAESKeyring(Keyring): """Generate an instance of Raw AES Keyring which encrypts using AES-GCM algorithm using wrapping key provided as a byte array - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param str key_namespace: String defining the keyring. - :param bytes key_name: Key ID + + .. note:: + key_namespace MUST NOT equal "aws-kms". + + :param str key_name: Key ID :param bytes wrapping_key: Encryption key with which to wrap plaintext data key. .. note:: @@ -83,7 +84,7 @@ class RawAESKeyring(Keyring): """ key_namespace = attr.ib(validator=instance_of(six.string_types)) - key_name = attr.ib(validator=instance_of(six.binary_type)) + key_name = attr.ib(validator=instance_of(six.string_types)) _wrapping_key = attr.ib(repr=False, validator=instance_of(six.binary_type)) def __attrs_post_init__(self): @@ -98,6 +99,9 @@ def __attrs_post_init__(self): ) } + if self.key_namespace == "aws-kms": + raise ValueError('Key namespace MUST NOT be "aws-kms"') + try: self._wrapping_algorithm = key_size_to_wrapping_algorithm[len(self._wrapping_key)] except KeyError: @@ -168,13 +172,7 @@ def on_encrypt(self, encryption_materials): _LOGGER.exception(error_message) raise EncryptKeyError(error_message) - # Update Keyring Trace - keyring_trace = KeyringTrace( - wrapping_key=self._key_provider, - flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT}, - ) - - return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key, keyring_trace=keyring_trace) + return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key) def on_decrypt(self, decryption_materials, encrypted_data_keys): # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials @@ -201,9 +199,11 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys): ): continue + encoded_key_name = codecs.encode(self.key_name, ENCODING) + # Wrapped EncryptedDataKey to deserialized EncryptedData encrypted_wrapped_key = deserialize_wrapped_key( - wrapping_algorithm=self._wrapping_algorithm, wrapping_key_id=self.key_name, wrapped_encrypted_key=key + wrapping_algorithm=self._wrapping_algorithm, wrapping_key_id=encoded_key_name, wrapped_encrypted_key=key ) # EncryptedData to raw key string @@ -221,18 +221,10 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys): # until it either succeeds or runs out of encrypted data keys. continue - # Create a keyring trace - keyring_trace = KeyringTrace( - wrapping_key=self._key_provider, - flags={KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT}, - ) - # Update decryption materials data_encryption_key = RawDataKey(key_provider=self._key_provider, data_key=plaintext_data_key) - return new_materials.with_data_encryption_key( - data_encryption_key=data_encryption_key, keyring_trace=keyring_trace - ) + return new_materials.with_data_encryption_key(data_encryption_key=data_encryption_key) return new_materials @@ -242,10 +234,14 @@ class RawRSAKeyring(Keyring): """Generate an instance of Raw RSA Keyring which performs asymmetric encryption and decryption using public and private keys provided - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param str key_namespace: String defining the keyring ID - :param bytes key_name: Key ID + + .. note:: + key_namespace MUST NOT equal "aws-kms". + + :param str key_name: Key ID :param cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey private_wrapping_key: Private encryption key with which to wrap plaintext data key (optional) :param cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey public_wrapping_key: @@ -259,7 +255,7 @@ class RawRSAKeyring(Keyring): """ key_namespace = attr.ib(validator=instance_of(six.string_types)) - key_name = attr.ib(validator=instance_of(six.binary_type)) + key_name = attr.ib(validator=instance_of(six.string_types)) _wrapping_algorithm = attr.ib( repr=False, validator=in_( @@ -280,6 +276,9 @@ def __attrs_post_init__(self): """Prepares initial values not handled by attrs.""" self._key_provider = MasterKeyInfo(provider_id=self.key_namespace, key_info=self.key_name) + if self.key_namespace == "aws-kms": + raise ValueError('Key namespace MUST NOT be "aws-kms"') + if self._public_wrapping_key is None and self._private_wrapping_key is None: raise TypeError("At least one of public key or private key must be provided.") @@ -407,11 +406,8 @@ def on_encrypt(self, encryption_materials): _LOGGER.exception(error_message) raise EncryptKeyError(error_message) - # Update Keyring Trace - keyring_trace = KeyringTrace(wrapping_key=self._key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}) - # Add encrypted data key to encryption_materials - return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key, keyring_trace=keyring_trace) + return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key) def on_decrypt(self, decryption_materials, encrypted_data_keys): # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials @@ -436,9 +432,11 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys): if key.key_provider != self._key_provider: continue + encoded_key_name = codecs.encode(self.key_name, ENCODING) + # Wrapped EncryptedDataKey to deserialized EncryptedData encrypted_wrapped_key = deserialize_wrapped_key( - wrapping_algorithm=self._wrapping_algorithm, wrapping_key_id=self.key_name, wrapped_encrypted_key=key + wrapping_algorithm=self._wrapping_algorithm, wrapping_key_id=encoded_key_name, wrapped_encrypted_key=key ) try: plaintext_data_key = self._private_wrapping_key.decrypt( @@ -451,14 +449,9 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys): # until it either succeeds or runs out of encrypted data keys. continue - # Create a keyring trace - keyring_trace = KeyringTrace(wrapping_key=self._key_provider, flags={KeyringTraceFlag.DECRYPTED_DATA_KEY}) - # Update decryption materials data_encryption_key = RawDataKey(key_provider=self._key_provider, data_key=plaintext_data_key) - return new_materials.with_data_encryption_key( - data_encryption_key=data_encryption_key, keyring_trace=keyring_trace - ) + return new_materials.with_data_encryption_key(data_encryption_key=data_encryption_key) return new_materials diff --git a/src/aws_encryption_sdk/materials_managers/__init__.py b/src/aws_encryption_sdk/materials_managers/__init__.py index 8c8c33886..354f3c49e 100644 --- a/src/aws_encryption_sdk/materials_managers/__init__.py +++ b/src/aws_encryption_sdk/materials_managers/__init__.py @@ -20,11 +20,11 @@ import six from attr.validators import deep_iterable, deep_mapping, instance_of, optional -from aws_encryption_sdk.exceptions import InvalidDataKeyError, InvalidKeyringTraceError, SignatureKeyError -from aws_encryption_sdk.identifiers import Algorithm, KeyringTraceFlag +from aws_encryption_sdk.exceptions import InvalidDataKeyError, SignatureKeyError +from aws_encryption_sdk.identifiers import Algorithm from aws_encryption_sdk.internal.crypto.authentication import Signer, Verifier from aws_encryption_sdk.internal.utils.streams import ROStream -from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, KeyringTrace, RawDataKey +from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, RawDataKey try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Any, Iterable, Tuple, Union # noqa pylint: disable=unused-import @@ -75,13 +75,11 @@ def _data_key_to_raw_data_key(data_key): class CryptographicMaterials(object): """Cryptographic materials core. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param Algorithm algorithm: Algorithm to use for encrypting message :param dict encryption_context: Encryption context tied to `encrypted_data_keys` :param RawDataKey data_encryption_key: Plaintext data key to use for encrypting message - :param keyring_trace: Any KeyRing trace entries - :type keyring_trace: list of :class:`KeyringTrace` """ algorithm = attr.ib(validator=optional(instance_of(Algorithm))) @@ -93,9 +91,6 @@ class CryptographicMaterials(object): data_encryption_key = attr.ib( default=None, validator=optional(instance_of(RawDataKey)), converter=_data_key_to_raw_data_key ) - _keyring_trace = attr.ib( - default=attr.Factory(list), validator=optional(deep_iterable(member_validator=instance_of(KeyringTrace))) - ) _initialized = False def __attrs_post_init__(self): @@ -115,31 +110,19 @@ def _setattr(self, key, value): """Special __setattr__ to avoid having to perform multi-level super calls.""" super(CryptographicMaterials, self).__setattr__(key, value) - def _validate_data_encryption_key(self, data_encryption_key, keyring_trace, required_flags): - # type: (Union[DataKey, RawDataKey], KeyringTrace, Iterable[KeyringTraceFlag]) -> None - """Validate that the provided data encryption key and keyring trace match for each other and the materials. + def _validate_data_encryption_key(self, data_encryption_key): + # type: (Union[DataKey, RawDataKey]) -> None + """Validate that the provided data encryption key matches the materials. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param RawDataKey data_encryption_key: Data encryption key - :param KeyringTrace keyring_trace: Keyring trace corresponding to data_encryption_key - :param required_flags: Iterable of required flags - :type required_flags: iterable of :class:`KeyringTraceFlag` :raises AttributeError: if data encryption key is already set - :raises InvalidKeyringTraceError: if keyring trace does not match decrypt action - :raises InvalidKeyringTraceError: if keyring trace does not match data key provider :raises InvalidDataKeyError: if data key length does not match algorithm suite """ if self.data_encryption_key is not None: raise AttributeError("Data encryption key is already set.") - for flag in required_flags: - if flag not in keyring_trace.flags: - raise InvalidKeyringTraceError("Keyring flags do not match action.") - - if keyring_trace.wrapping_key != data_encryption_key.key_provider: - raise InvalidKeyringTraceError("Keyring trace does not match data key provider.") - if len(data_encryption_key.data_key) != self.algorithm.kdf_input_len: raise InvalidDataKeyError( "Invalid data key length {actual} must be {expected}.".format( @@ -147,25 +130,17 @@ def _validate_data_encryption_key(self, data_encryption_key, keyring_trace, requ ) ) - def _with_data_encryption_key(self, data_encryption_key, keyring_trace, required_flags): - # type: (Union[DataKey, RawDataKey], KeyringTrace, Iterable[KeyringTraceFlag]) -> CryptographicMaterials + def _with_data_encryption_key(self, data_encryption_key): + # type: (Union[DataKey, RawDataKey]) -> CryptographicMaterials """Get new cryptographic materials that include this data encryption key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param RawDataKey data_encryption_key: Data encryption key - :param KeyringTrace keyring_trace: Trace of actions that a keyring performed - while getting this data encryption key - :param required_flags: Iterable of required flags - :type required_flags: iterable of :class:`KeyringTraceFlag` :raises AttributeError: if data encryption key is already set - :raises InvalidKeyringTraceError: if keyring trace does not match required actions - :raises InvalidKeyringTraceError: if keyring trace does not match data key provider :raises InvalidDataKeyError: if data key length does not match algorithm suite """ - self._validate_data_encryption_key( - data_encryption_key=data_encryption_key, keyring_trace=keyring_trace, required_flags=required_flags - ) + self._validate_data_encryption_key(data_encryption_key=data_encryption_key) new_materials = copy.copy(self) @@ -173,19 +148,9 @@ def _with_data_encryption_key(self, data_encryption_key, keyring_trace, required new_materials._setattr( # simplify access to copies pylint: disable=protected-access "data_encryption_key", data_key ) - new_materials._keyring_trace.append(keyring_trace) # simplify access to copies pylint: disable=protected-access return new_materials - @property - def keyring_trace(self): - # type: () -> Tuple[KeyringTrace] - """Return a read-only version of the keyring trace. - - :rtype: tuple - """ - return tuple(self._keyring_trace) - @attr.s(hash=False, init=False) class EncryptionMaterials(CryptographicMaterials): @@ -193,11 +158,7 @@ class EncryptionMaterials(CryptographicMaterials): .. versionadded:: 1.3.0 - .. versionadded:: 1.5.0 - - The **keyring_trace** parameter. - - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 Most parameters are now optional. @@ -207,8 +168,6 @@ class EncryptionMaterials(CryptographicMaterials): :type encrypted_data_keys: list of :class:`EncryptedDataKey` :param dict encryption_context: Encryption context tied to `encrypted_data_keys` :param bytes signing_key: Encoded signing key (optional) - :param keyring_trace: Any KeyRing trace entries (optional) - :type keyring_trace: list of :class:`KeyringTrace` """ _encrypted_data_keys = attr.ib( @@ -257,7 +216,6 @@ def __copy__(self): encrypted_data_keys=copy.copy(self._encrypted_data_keys), encryption_context=self.encryption_context.copy(), signing_key=self.signing_key, - keyring_trace=copy.copy(self._keyring_trace), ) @property @@ -287,68 +245,44 @@ def is_complete(self): return True - def with_data_encryption_key(self, data_encryption_key, keyring_trace): - # type: (Union[DataKey, RawDataKey], KeyringTrace) -> EncryptionMaterials + def with_data_encryption_key(self, data_encryption_key): + # type: (Union[DataKey, RawDataKey]) -> EncryptionMaterials """Get new encryption materials that also include this data encryption key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param RawDataKey data_encryption_key: Data encryption key - :param KeyringTrace keyring_trace: Trace of actions that a keyring performed - while getting this data encryption key :rtype: EncryptionMaterials :raises AttributeError: if data encryption key is already set - :raises InvalidKeyringTraceError: if keyring trace does not match generate action - :raises InvalidKeyringTraceError: if keyring trace does not match data key provider :raises InvalidDataKeyError: if data key length does not match algorithm suite """ - return self._with_data_encryption_key( - data_encryption_key=data_encryption_key, - keyring_trace=keyring_trace, - required_flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) + return self._with_data_encryption_key(data_encryption_key=data_encryption_key,) - def with_encrypted_data_key(self, encrypted_data_key, keyring_trace): - # type: (EncryptedDataKey, KeyringTrace) -> EncryptionMaterials - """Get new encryption materials that also include this encrypted data key with corresponding keyring trace. + def with_encrypted_data_key(self, encrypted_data_key): + # type: (EncryptedDataKey) -> EncryptionMaterials + """Get new encryption materials that also include this encrypted data key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param EncryptedDataKey encrypted_data_key: Encrypted data key to add - :param KeyringTrace keyring_trace: Trace of actions that a keyring performed - while getting this encrypted data key :rtype: EncryptionMaterials :raises AttributeError: if data encryption key is not set - :raises InvalidKeyringTraceError: if keyring trace does not match generate action - :raises InvalidKeyringTraceError: if keyring trace does not match data key encryptor """ if self.data_encryption_key is None: raise AttributeError("Data encryption key is not set.") - if KeyringTraceFlag.ENCRYPTED_DATA_KEY not in keyring_trace.flags: - raise InvalidKeyringTraceError("Keyring flags do not match action.") - - if not all( - ( - keyring_trace.wrapping_key.provider_id == encrypted_data_key.key_provider.provider_id, - keyring_trace.wrapping_key.key_name == encrypted_data_key.key_provider.key_name, - ) - ): - raise InvalidKeyringTraceError("Keyring trace does not match data key encryptor.") - new_materials = copy.copy(self) new_materials._encrypted_data_keys.append( # simplify access to copies pylint: disable=protected-access encrypted_data_key ) - new_materials._keyring_trace.append(keyring_trace) # simplify access to copies pylint: disable=protected-access return new_materials def with_signing_key(self, signing_key): # type: (bytes) -> EncryptionMaterials """Get new encryption materials that also include this signing key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param bytes signing_key: Signing key :rtype: EncryptionMaterials @@ -402,11 +336,11 @@ class DecryptionMaterials(CryptographicMaterials): .. versionadded:: 1.3.0 - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 - The **algorithm**, **data_encryption_key**, **encryption_context**, and **keyring_trace** parameters. + The **algorithm**, **data_encryption_key**, and **encryption_context** parameters. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 All parameters are now optional. @@ -414,8 +348,6 @@ class DecryptionMaterials(CryptographicMaterials): :param RawDataKey data_encryption_key: Plaintext data key to use for encrypting message (optional) :param dict encryption_context: Encryption context tied to `encrypted_data_keys` (optional) :param bytes verification_key: Raw signature verification key (optional) - :param keyring_trace: Any KeyRing trace entries (optional) - :type keyring_trace: list of :class:`KeyringTrace` """ verification_key = attr.ib(default=None, repr=False, validator=optional(instance_of(bytes))) @@ -450,7 +382,6 @@ def __copy__(self): data_encryption_key=self.data_encryption_key, encryption_context=copy.copy(self.encryption_context), verification_key=self.verification_key, - keyring_trace=copy.copy(self._keyring_trace), ) @property @@ -477,35 +408,27 @@ def data_key(self): """Backwards-compatible shim for access to data key.""" return self.data_encryption_key - def with_data_encryption_key(self, data_encryption_key, keyring_trace): - # type: (Union[DataKey, RawDataKey], KeyringTrace) -> DecryptionMaterials + def with_data_encryption_key(self, data_encryption_key): + # type: (Union[DataKey, RawDataKey]) -> DecryptionMaterials """Get new decryption materials that also include this data encryption key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param RawDataKey data_encryption_key: Data encryption key - :param KeyringTrace keyring_trace: Trace of actions that a keyring performed - while getting this data encryption key :rtype: DecryptionMaterials :raises AttributeError: if data encryption key is already set - :raises InvalidKeyringTraceError: if keyring trace does not match decrypt action - :raises InvalidKeyringTraceError: if keyring trace does not match data key provider :raises InvalidDataKeyError: if data key length does not match algorithm suite """ if self.algorithm is None: raise AttributeError("Algorithm is not set") - return self._with_data_encryption_key( - data_encryption_key=data_encryption_key, - keyring_trace=keyring_trace, - required_flags={KeyringTraceFlag.DECRYPTED_DATA_KEY}, - ) + return self._with_data_encryption_key(data_encryption_key=data_encryption_key) def with_verification_key(self, verification_key): # type: (bytes) -> DecryptionMaterials """Get new decryption materials that also include this verification key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param bytes verification_key: Verification key :rtype: DecryptionMaterials diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py index ff549563d..678b80fe3 100644 --- a/src/aws_encryption_sdk/streaming_client.py +++ b/src/aws_encryption_sdk/streaming_client.py @@ -137,7 +137,6 @@ class _EncryptionStream(io.IOBase): _message_prepped = None # type: bool source_stream = None _stream_length = None # type: int - keyring_trace = () def __new__(cls, **kwargs): """Perform necessary handling for _EncryptionStream instances that should be @@ -444,7 +443,6 @@ def _prep_message(self): self._encryption_materials = self.config.materials_manager.get_encryption_materials( request=encryption_materials_request ) - self.keyring_trace = self._encryption_materials.keyring_trace if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm: raise ActionNotAllowedError( @@ -781,7 +779,6 @@ def _read_header(self): encryption_context=header.encryption_context, ) decryption_materials = self.config.materials_manager.decrypt_materials(request=decrypt_materials_request) - self.keyring_trace = decryption_materials.keyring_trace if decryption_materials.verification_key is None: self.verifier = None diff --git a/src/aws_encryption_sdk/structures.py b/src/aws_encryption_sdk/structures.py index 4e8275a2c..1b6f58026 100644 --- a/src/aws_encryption_sdk/structures.py +++ b/src/aws_encryption_sdk/structures.py @@ -17,7 +17,7 @@ import six from attr.validators import deep_iterable, deep_mapping, instance_of, optional -from aws_encryption_sdk.identifiers import Algorithm, ContentType, KeyringTraceFlag, ObjectType, SerializationVersion +from aws_encryption_sdk.identifiers import Algorithm, ContentType, ObjectType, SerializationVersion from aws_encryption_sdk.internal.str_ops import to_bytes, to_str try: # Python 3.5.0 and 3.5.1 have incompatible typing modules @@ -37,7 +37,7 @@ class MasterKeyInfo(object): For all other keyrings and master keys, ``key_info`` and ``key_name`` should always be the same. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 ``key_name`` :param str provider_id: MasterKey provider_id value @@ -60,7 +60,7 @@ def __attrs_post_init__(self): def key_namespace(self): """Access the key namespace value (previously, provider ID). - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ return self.provider_id @@ -83,7 +83,7 @@ def from_data_key(cls, data_key): # type: (DataKey) -> RawDataKey """Build an :class:`RawDataKey` from a :class:`DataKey`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ if not isinstance(data_key, DataKey): raise TypeError("data_key must be type DataKey not {}".format(type(data_key).__name__)) @@ -123,7 +123,7 @@ def from_data_key(cls, data_key): # type: (DataKey) -> EncryptedDataKey """Build an :class:`EncryptedDataKey` from a :class:`DataKey`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ if not isinstance(data_key, DataKey): raise TypeError("data_key must be type DataKey not {}".format(type(data_key).__name__)) @@ -133,20 +133,6 @@ def from_data_key(cls, data_key): ) -@attr.s -class KeyringTrace(object): - """Record of all actions that a KeyRing performed with a wrapping key. - - .. versionadded:: 1.5.0 - - :param MasterKeyInfo wrapping_key: Wrapping key used - :param Set[KeyringTraceFlag] flags: Actions performed - """ - - wrapping_key = attr.ib(validator=instance_of(MasterKeyInfo)) - flags = attr.ib(validator=deep_iterable(member_validator=instance_of(KeyringTraceFlag))) - - @attr.s(hash=True) class MessageHeader(object): # pylint: disable=too-many-instance-attributes @@ -185,7 +171,7 @@ class MessageHeader(object): class CryptoResult(object): """Result container for one-shot cryptographic API results. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 .. note:: @@ -195,12 +181,10 @@ class CryptoResult(object): :param bytes result: Binary results of the cryptographic operation :param MessageHeader header: Encrypted message metadata - :param Tuple[KeyringTrace] keyring_trace: Keyring trace entries """ result = attr.ib(validator=instance_of(bytes)) header = attr.ib(validator=instance_of(MessageHeader)) - keyring_trace = attr.ib(validator=deep_iterable(member_validator=instance_of(KeyringTrace))) def __attrs_post_init__(self): """Construct the inner tuple for backwards compatibility.""" diff --git a/src/pylintrc b/src/pylintrc index 1722f208c..64e6dd447 100644 --- a/src/pylintrc +++ b/src/pylintrc @@ -5,12 +5,15 @@ disable = ungrouped-imports, # we let isort handle this no-member, # breaks with attrs no-self-use, # interesting to keep in mind for later refactoring, but not blocking - useless-object-inheritance, # we need to support Python 2, so no, not useless too-few-public-methods, # does not allow value stores no-else-return, # we omit this on purpose for brevity where it would add no value attribute-defined-outside-init, # breaks with attrs_post_init abstract-method, # throws false positives on io.BaseIO grandchildren redefined-outer-name, # we do this on purpose in multiple places + # All below are disabled because we need to support Python 2 + useless-object-inheritance, + raise-missing-from, + super-with-arguments, [BASIC] # Allow function names up to 50 characters diff --git a/test/functional/keyrings/aws_kms/test_aws_kms.py b/test/functional/keyrings/aws_kms/test_aws_kms.py index 2aca1c15a..7dbfcc612 100644 --- a/test/functional/keyrings/aws_kms/test_aws_kms.py +++ b/test/functional/keyrings/aws_kms/test_aws_kms.py @@ -1,7 +1,6 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """Functional tests for ``aws_encryption_sdk.keyrings.aws_kms``.""" -import itertools import logging import os @@ -10,11 +9,9 @@ from moto.kms import mock_kms from aws_encryption_sdk.exceptions import DecryptKeyError, EncryptKeyError -from aws_encryption_sdk.identifiers import KeyringTraceFlag from aws_encryption_sdk.internal.defaults import ALGORITHM from aws_encryption_sdk.keyrings.aws_kms import ( KEY_NAMESPACE, - AwsKmsKeyring, _AwsKmsDiscoveryKeyring, _AwsKmsSingleCmkKeyring, _do_aws_kms_decrypt, @@ -24,7 +21,7 @@ ) from aws_encryption_sdk.keyrings.aws_kms.client_suppliers import DefaultClientSupplier from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey # used as fixtures from ...functional_test_utils import fake_generator # noqa pylint: disable=unused-import @@ -40,13 +37,6 @@ pytestmark = [pytest.mark.functional, pytest.mark.local] -def _matching_flags(wrapping_key, keyring_trace): - # type: (MasterKeyInfo, Iterable[KeyringTrace]) -> List[KeyringTraceFlag] - return list( - itertools.chain.from_iterable([entry.flags for entry in keyring_trace if entry.wrapping_key == wrapping_key]) - ) - - def test_aws_kms_single_cmk_keyring_on_encrypt_empty_materials(fake_generator): keyring = _AwsKmsSingleCmkKeyring(key_id=fake_generator, client_supplier=DefaultClientSupplier()) @@ -57,14 +47,6 @@ def test_aws_kms_single_cmk_keyring_on_encrypt_empty_materials(fake_generator): assert result_materials.data_encryption_key is not None assert len(result_materials.encrypted_data_keys) == 1 - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.GENERATED_DATA_KEY in generator_flags - assert KeyringTraceFlag.ENCRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT in generator_flags - def test_aws_kms_single_cmk_keyring_on_encrypt_existing_data_key(fake_generator): keyring = _AwsKmsSingleCmkKeyring(key_id=fake_generator, client_supplier=DefaultClientSupplier()) @@ -83,14 +65,6 @@ def test_aws_kms_single_cmk_keyring_on_encrypt_existing_data_key(fake_generator) assert result_materials.data_encryption_key is not None assert len(result_materials.encrypted_data_keys) == 1 - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.GENERATED_DATA_KEY not in generator_flags - assert KeyringTraceFlag.ENCRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT in generator_flags - @mock_kms def test_aws_kms_single_cmk_keyring_on_encrypt_fail(): @@ -153,44 +127,6 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_single_cmk(fake_generator): assert result_materials is not initial_decryption_materials assert result_materials.data_encryption_key is not None - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags - - -def test_aws_kms_single_cmk_keyring_on_decrypt_multiple_cmk(fake_generator_and_child): - generator, child = fake_generator_and_child - - encrypting_keyring = AwsKmsKeyring(generator_key_id=generator, key_ids=(child,)) - decrypting_keyring = _AwsKmsSingleCmkKeyring(key_id=child, client_supplier=DefaultClientSupplier()) - - initial_encryption_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={}) - - encryption_materials = encrypting_keyring.on_encrypt(initial_encryption_materials) - - initial_decryption_materials = DecryptionMaterials( - algorithm=encryption_materials.algorithm, encryption_context=encryption_materials.encryption_context - ) - - result_materials = decrypting_keyring.on_decrypt( - decryption_materials=initial_decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys - ) - - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=generator), result_materials.keyring_trace - ) - assert len(generator_flags) == 0 - - child_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=child), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.DECRYPTED_DATA_KEY in child_flags - assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in child_flags - def test_aws_kms_single_cmk_keyring_on_decrypt_no_match(fake_generator_and_child): generator, child = fake_generator_and_child @@ -259,7 +195,7 @@ def encryption_materials_for_discovery_decrypt(fake_generator): def test_aws_kms_discovery_keyring_on_decrypt(encryption_materials_for_discovery_decrypt): - generator_key_id, encryption_materials = encryption_materials_for_discovery_decrypt + _, encryption_materials = encryption_materials_for_discovery_decrypt decrypting_keyring = _AwsKmsDiscoveryKeyring(client_supplier=DefaultClientSupplier()) @@ -274,13 +210,6 @@ def test_aws_kms_discovery_keyring_on_decrypt(encryption_materials_for_discovery assert result_materials is not initial_decryption_materials assert result_materials.data_encryption_key is not None - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=generator_key_id), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags - @mock_kms def test_aws_kms_discovery_keyring_on_decrypt_existing_data_key(caplog): @@ -380,13 +309,6 @@ def test_try_aws_kms_decrypt_succeed(fake_generator): assert result_materials.data_encryption_key.data_key == plaintext - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags - @mock_kms def test_try_aws_kms_decrypt_error(caplog): diff --git a/test/functional/keyrings/raw/test_raw_aes.py b/test/functional/keyrings/raw/test_raw_aes.py index 9759f2ce9..9b55d33a4 100644 --- a/test/functional/keyrings/raw/test_raw_aes.py +++ b/test/functional/keyrings/raw/test_raw_aes.py @@ -14,25 +14,19 @@ import pytest -from aws_encryption_sdk.identifiers import ( - Algorithm, - EncryptionKeyType, - EncryptionType, - KeyringTraceFlag, - WrappingAlgorithm, -) +from aws_encryption_sdk.identifiers import Algorithm, EncryptionKeyType, EncryptionType, WrappingAlgorithm from aws_encryption_sdk.internal.crypto import WrappingKey from aws_encryption_sdk.internal.formatting.serialize import serialize_raw_master_key_prefix from aws_encryption_sdk.key_providers.raw import RawMasterKey from aws_encryption_sdk.keyrings.raw import RawAESKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import MasterKeyInfo, RawDataKey pytestmark = [pytest.mark.functional, pytest.mark.local] _ENCRYPTION_CONTEXT = {"encryption": "context", "values": "here"} -_PROVIDER_ID = "Random Raw Keys" -_KEY_ID = b"5325b043-5843-4629-869c-64794af77ada" +_KEY_NAMESPACE = "Random Raw Keys" +_KEY_NAME = "5325b043-5843-4629-869c-64794af77ada" _WRAPPING_KEY = b"12345678901234567890123456789012" _SIGNING_KEY = b"aws-crypto-public-key" @@ -49,17 +43,11 @@ def sample_encryption_materials(): EncryptionMaterials( algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ), ] @@ -68,8 +56,8 @@ def sample_encryption_materials(): def test_raw_aes_encryption_decryption(encryption_materials_samples): # Initializing attributes - key_namespace = _PROVIDER_ID - key_name = _KEY_ID + key_namespace = _KEY_NAMESPACE + key_name = _KEY_NAME # Creating an instance of a raw AES keyring test_raw_aes_keyring = RawAESKeyring(key_namespace=key_namespace, key_name=key_name, wrapping_key=_WRAPPING_KEY,) @@ -97,8 +85,8 @@ def test_raw_aes_encryption_decryption(encryption_materials_samples): def test_raw_master_key_decrypts_what_raw_keyring_encrypts(encryption_materials_samples): # Initializing attributes - key_namespace = _PROVIDER_ID - key_name = _KEY_ID + key_namespace = _KEY_NAMESPACE + key_name = _KEY_NAME # Creating an instance of a raw AES keyring test_raw_aes_keyring = RawAESKeyring(key_namespace=key_namespace, key_name=key_name, wrapping_key=_WRAPPING_KEY,) @@ -128,8 +116,8 @@ def test_raw_master_key_decrypts_what_raw_keyring_encrypts(encryption_materials_ def test_raw_keyring_decrypts_what_raw_master_key_encrypts(encryption_materials_samples): # Initializing attributes - key_namespace = _PROVIDER_ID - key_name = _KEY_ID + key_namespace = _KEY_NAMESPACE + key_name = _KEY_NAME # Creating an instance of a raw AES keyring test_raw_aes_keyring = RawAESKeyring(key_namespace=key_namespace, key_name=key_name, wrapping_key=_WRAPPING_KEY,) @@ -165,11 +153,12 @@ def test_raw_keyring_decrypts_what_raw_master_key_encrypts(encryption_materials_ @pytest.mark.parametrize("wrapping_algorithm", _WRAPPING_ALGORITHM) def test_key_info_prefix_vectors(wrapping_algorithm): + expected_prefix = _KEY_NAME.encode() + b"\x00\x00\x00\x80\x00\x00\x00\x0c" assert ( serialize_raw_master_key_prefix( raw_master_key=RawMasterKey( - provider_id=_PROVIDER_ID, - key_id=_KEY_ID, + provider_id=_KEY_NAMESPACE, + key_id=_KEY_NAME, wrapping_key=WrappingKey( wrapping_algorithm=wrapping_algorithm, wrapping_key=_WRAPPING_KEY, @@ -177,5 +166,21 @@ def test_key_info_prefix_vectors(wrapping_algorithm): ), ) ) - == _KEY_ID + b"\x00\x00\x00\x80\x00\x00\x00\x0c" + == expected_prefix ) + + +def test_must_not_accept_aws_kms(): + + # Initializing attributes + key_namespace = "aws-kms" + key_name = _KEY_NAME + + # Attempt to instantiate a raw AES keyring + with pytest.raises(ValueError) as excinfo: + RawAESKeyring( + key_namespace=key_namespace, key_name=key_name, wrapping_key=_WRAPPING_KEY, + ) + + # Check the error message + excinfo.match('Key namespace MUST NOT be "aws-kms"') diff --git a/test/functional/keyrings/raw/test_raw_rsa.py b/test/functional/keyrings/raw/test_raw_rsa.py index f72ffee51..47be10ddc 100644 --- a/test/functional/keyrings/raw/test_raw_rsa.py +++ b/test/functional/keyrings/raw/test_raw_rsa.py @@ -18,24 +18,18 @@ from cryptography.hazmat.primitives.asymmetric import rsa from aws_encryption_sdk.exceptions import EncryptKeyError -from aws_encryption_sdk.identifiers import ( - Algorithm, - EncryptionKeyType, - EncryptionType, - KeyringTraceFlag, - WrappingAlgorithm, -) +from aws_encryption_sdk.identifiers import Algorithm, EncryptionKeyType, EncryptionType, WrappingAlgorithm from aws_encryption_sdk.internal.crypto import WrappingKey from aws_encryption_sdk.key_providers.raw import RawMasterKey from aws_encryption_sdk.keyrings.raw import RawRSAKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import MasterKeyInfo, RawDataKey pytestmark = [pytest.mark.functional, pytest.mark.local] _ENCRYPTION_CONTEXT = {"encryption": "context", "values": "here"} -_PROVIDER_ID = "Random Raw Keys" -_KEY_ID = b"5325b043-5843-4629-869c-64794af77ada" +_KEY_NAMESPACE = "Random Raw Keys" +_KEY_NAME = "5325b043-5843-4629-869c-64794af77ada" _WRAPPING_ALGORITHM = WrappingAlgorithm.RSA_OAEP_SHA256_MGF1 _PUBLIC_EXPONENT = 65537 @@ -89,16 +83,10 @@ def sample_encryption_materials(): EncryptionMaterials( algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ), ] @@ -107,52 +95,52 @@ def sample_raw_rsa_keyring_using_different_wrapping_algorithm(): for alg in WrappingAlgorithm: if alg.encryption_type is EncryptionType.ASYMMETRIC: yield RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=alg, private_wrapping_key=_PRIVATE_WRAPPING_KEY, public_wrapping_key=_PUBLIC_WRAPPING_KEY, ) pem_and_der_encoded_raw_rsa_keyring = [ RawRSAKeyring.from_pem_encoding( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, private_encoded_key=_RAW_RSA_PRIVATE_KEY_PEM_ENCODED_WITHOUT_PASSWORD, public_encoded_key=_RAW_RSA_PUBLIC_KEY_PEM_ENCODED, wrapping_algorithm=_WRAPPING_ALGORITHM, ), RawRSAKeyring.from_pem_encoding( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, private_encoded_key=_RAW_RSA_PRIVATE_KEY_PEM_ENCODED_WITH_PASSWORD, public_encoded_key=_RAW_RSA_PUBLIC_KEY_PEM_ENCODED, password=b"mypassword", wrapping_algorithm=_WRAPPING_ALGORITHM, ), RawRSAKeyring.from_pem_encoding( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, public_encoded_key=_RAW_RSA_PUBLIC_KEY_PEM_ENCODED, wrapping_algorithm=_WRAPPING_ALGORITHM, ), RawRSAKeyring.from_der_encoding( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, private_encoded_key=_RAW_RSA_PRIVATE_KEY_DER_ENCODED_WITHOUT_PASSWORD, public_encoded_key=_RAW_RSA_PUBLIC_KEY_DER_ENCODED, wrapping_algorithm=_WRAPPING_ALGORITHM, ), RawRSAKeyring.from_der_encoding( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, private_encoded_key=_RAW_RSA_PRIVATE_KEY_DER_ENCODED_WITH_PASSWORD, public_encoded_key=_RAW_RSA_PUBLIC_KEY_DER_ENCODED, password=b"mypassword", wrapping_algorithm=_WRAPPING_ALGORITHM, ), RawRSAKeyring.from_der_encoding( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, public_encoded_key=_RAW_RSA_PUBLIC_KEY_DER_ENCODED, wrapping_algorithm=_WRAPPING_ALGORITHM, ), @@ -190,8 +178,8 @@ def test_raw_rsa_encryption_decryption(encryption_materials_samples, test_raw_rs @pytest.mark.parametrize("encryption_materials_samples", sample_encryption_materials()) def test_raw_master_key_decrypts_what_raw_keyring_encrypts(encryption_materials_samples): test_raw_rsa_keyring = RawRSAKeyring.from_pem_encoding( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=_WRAPPING_ALGORITHM, private_encoded_key=_PRIVATE_WRAPPING_KEY_PEM, public_encoded_key=_PUBLIC_WRAPPING_KEY_PEM, @@ -199,8 +187,8 @@ def test_raw_master_key_decrypts_what_raw_keyring_encrypts(encryption_materials_ # Creating an instance of a raw master key test_raw_master_key = RawMasterKey( - key_id=_KEY_ID, - provider_id=_PROVIDER_ID, + key_id=_KEY_NAME, + provider_id=_KEY_NAMESPACE, wrapping_key=WrappingKey( wrapping_algorithm=_WRAPPING_ALGORITHM, wrapping_key=_PRIVATE_WRAPPING_KEY_PEM, @@ -226,8 +214,8 @@ def test_raw_keyring_decrypts_what_raw_master_key_encrypts(encryption_materials_ # Create instance of raw master key test_raw_master_key = RawMasterKey( - key_id=_KEY_ID, - provider_id=_PROVIDER_ID, + key_id=_KEY_NAME, + provider_id=_KEY_NAMESPACE, wrapping_key=WrappingKey( wrapping_algorithm=_WRAPPING_ALGORITHM, wrapping_key=_PRIVATE_WRAPPING_KEY_PEM, @@ -236,8 +224,8 @@ def test_raw_keyring_decrypts_what_raw_master_key_encrypts(encryption_materials_ ) test_raw_rsa_keyring = RawRSAKeyring.from_pem_encoding( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=_WRAPPING_ALGORITHM, private_encoded_key=_PRIVATE_WRAPPING_KEY_PEM, public_encoded_key=_PUBLIC_WRAPPING_KEY_PEM, @@ -268,8 +256,8 @@ def test_raw_keyring_decrypts_what_raw_master_key_encrypts(encryption_materials_ def test_public_key_only_can_encrypt(): test_keyring = RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=_WRAPPING_ALGORITHM, public_wrapping_key=_PUBLIC_WRAPPING_KEY, ) @@ -286,8 +274,8 @@ def test_public_key_only_can_encrypt(): def test_public_key_only_cannot_decrypt(): test_keyring = RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=_WRAPPING_ALGORITHM, public_wrapping_key=_PUBLIC_WRAPPING_KEY, ) @@ -310,15 +298,15 @@ def test_public_key_only_cannot_decrypt(): def test_private_key_can_decrypt(): complete_keyring = RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=_WRAPPING_ALGORITHM, private_wrapping_key=_PRIVATE_WRAPPING_KEY, public_wrapping_key=_PUBLIC_WRAPPING_KEY, ) test_keyring = RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=_WRAPPING_ALGORITHM, private_wrapping_key=_PRIVATE_WRAPPING_KEY, ) @@ -342,8 +330,8 @@ def test_private_key_can_decrypt(): def test_private_key_cannot_encrypt(): test_keyring = RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=_WRAPPING_ALGORITHM, private_wrapping_key=_PRIVATE_WRAPPING_KEY, ) @@ -363,11 +351,26 @@ def test_keypair_must_match(): with pytest.raises(ValueError) as excinfo: RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=_WRAPPING_ALGORITHM, private_wrapping_key=wrapping_key_a, public_wrapping_key=wrapping_key_b.public_key(), ) excinfo.match("Private and public wrapping keys MUST be from the same keypair.") + + +def test_must_not_accept_aws_kms(): + bad_key_namespace = "aws-kms" + + with pytest.raises(ValueError) as excinfo: + RawRSAKeyring( + key_namespace=bad_key_namespace, + key_name=_KEY_NAME, + wrapping_algorithm=_WRAPPING_ALGORITHM, + private_wrapping_key=_PRIVATE_WRAPPING_KEY, + public_wrapping_key=_PUBLIC_WRAPPING_KEY, + ) + + excinfo.match('Key namespace MUST NOT be "aws-kms"') diff --git a/test/functional/keyrings/test_multi.py b/test/functional/keyrings/test_multi.py index 43833a41a..bc454cd8a 100644 --- a/test/functional/keyrings/test_multi.py +++ b/test/functional/keyrings/test_multi.py @@ -16,18 +16,18 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import rsa -from aws_encryption_sdk.identifiers import KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import WrappingAlgorithm from aws_encryption_sdk.internal.defaults import ALGORITHM from aws_encryption_sdk.keyrings.multi import MultiKeyring from aws_encryption_sdk.keyrings.raw import RawAESKeyring, RawRSAKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import MasterKeyInfo, RawDataKey pytestmark = [pytest.mark.functional, pytest.mark.local] _ENCRYPTION_CONTEXT = {"encryption": "context", "values": "here"} -_PROVIDER_ID = "Random Raw Keys" -_KEY_ID = b"5325b043-5843-4629-869c-64794af77ada" +_KEY_NAMESPACE = "Random Raw Keys" +_KEY_NAME = "5325b043-5843-4629-869c-64794af77ada" _WRAPPING_KEY_AES = b"\xeby-\x80A6\x15rA8\x83#,\xe4\xab\xac`\xaf\x99Z\xc1\xce\xdb\xb6\x0f\xb7\x805\xb2\x14J3" _ENCRYPTION_MATERIALS_WITHOUT_DATA_KEY = EncryptionMaterials( @@ -37,33 +37,27 @@ _ENCRYPTION_MATERIALS_WITH_DATA_KEY = EncryptionMaterials( algorithm=ALGORITHM, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ) _rsa_private_key_a = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) _rsa_private_key_b = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) _MULTI_KEYRING_WITH_GENERATOR_AND_CHILDREN = MultiKeyring( - generator=RawAESKeyring(key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_key=_WRAPPING_KEY_AES,), + generator=RawAESKeyring(key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_key=_WRAPPING_KEY_AES,), children=[ RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=_rsa_private_key_a, public_wrapping_key=_rsa_private_key_a.public_key(), ), RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=_rsa_private_key_b, public_wrapping_key=_rsa_private_key_b.public_key(), @@ -73,8 +67,8 @@ _MULTI_KEYRING_WITHOUT_CHILDREN = MultiKeyring( generator=RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=_rsa_private_key_a, public_wrapping_key=_rsa_private_key_a.public_key(), @@ -84,13 +78,13 @@ _MULTI_KEYRING_WITHOUT_GENERATOR = MultiKeyring( children=[ RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=_rsa_private_key_a, public_wrapping_key=_rsa_private_key_a.public_key(), ), - RawAESKeyring(key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_key=_WRAPPING_KEY_AES,), + RawAESKeyring(key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_key=_WRAPPING_KEY_AES,), ] ) diff --git a/test/functional/test_client.py b/test/functional/test_client.py index ebe7e14d1..cbfba60a0 100644 --- a/test/functional/test_client.py +++ b/test/functional/test_client.py @@ -27,7 +27,6 @@ from aws_encryption_sdk.internal.formatting.encryption_context import serialize_encryption_context from aws_encryption_sdk.key_providers.base import MasterKeyProvider, MasterKeyProviderConfig from aws_encryption_sdk.key_providers.raw import RawMasterKeyProvider -from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.keyrings.raw import RawRSAKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterialsRequest, EncryptionMaterialsRequest @@ -469,31 +468,9 @@ def run_raw_provider_check( ) decrypt_result = aws_encryption_sdk.decrypt(source=encrypt_result.result, **decrypt_kwargs) - if isinstance(encrypting_provider, Keyring): - trace_entries = ( - entry - for entry in encrypt_result.keyring_trace - if ( - entry.wrapping_key.provider_id == encrypting_provider.key_namespace - and entry.wrapping_key.key_info == encrypting_provider.key_name - ) - ) - assert trace_entries - assert decrypt_result.result == VALUES["plaintext_128"] assert_key_not_logged(encrypting_provider, log_capturer.text) - if isinstance(decrypting_provider, Keyring): - trace_entries = ( - entry - for entry in decrypt_result.keyring_trace - if ( - entry.wrapping_key.provider_id == decrypting_provider.key_namespace - and entry.wrapping_key.key_info == decrypting_provider.key_name - ) - ) - assert trace_entries - @pytest.mark.parametrize( "encrypt_param_name, encrypting_provider, decrypt_param_name, decrypting_provider", diff --git a/test/pylintrc b/test/pylintrc index 8eb8ae678..599a9e182 100644 --- a/test/pylintrc +++ b/test/pylintrc @@ -8,7 +8,6 @@ disable = abstract-class-instantiated, # we do this on purpose to test that they are enforced no-member, # raised on patched objects with mock checks no-self-use, # common pattern when using pytest classes: can be enabled once all tests are refactored to pytest functions - useless-object-inheritance, # we need to support Python 2, so no, not useless duplicate-code, # unit tests for similar things tend to be similar too-many-instance-attributes, # common pattern when using pytest classes: can be enabled once all tests are refactored to pytest functions too-few-public-methods, # common when setting up mock classes @@ -19,6 +18,10 @@ disable = abstract-method, # we do this on purpose to test that they are enforced redefined-outer-name, # raised when using decorators unused-argument, # raised when patches are needed but not called + # All below are disabled because we need to support Python 2 + useless-object-inheritance, + raise-missing-from, + super-with-arguments, [VARIABLES] additional-builtins = raw_input diff --git a/test/unit/caches/test_local.py b/test/unit/caches/test_local.py index 6fd68c72f..a0ec14f1a 100644 --- a/test/unit/caches/test_local.py +++ b/test/unit/caches/test_local.py @@ -300,12 +300,12 @@ def patch_get_single_entry(mocker): def test_get_encryption_materials(patch_get_single_entry): cache = build_lcmc() - test = cache.get_encryption_materials(cache_key=sentinel.cache_key, plaintext_length=sentinel.plaintext_length) + plaintext_length = 42 + + test = cache.get_encryption_materials(cache_key=sentinel.cache_key, plaintext_length=plaintext_length) patch_get_single_entry.assert_called_once_with(sentinel.cache_key) - patch_get_single_entry.return_value._update_with_message_bytes_encrypted.assert_called_once_with( - sentinel.plaintext_length - ) + patch_get_single_entry.return_value._update_with_message_bytes_encrypted.assert_called_once_with(plaintext_length) assert test is patch_get_single_entry.return_value diff --git a/test/unit/keyrings/raw/test_raw_aes.py b/test/unit/keyrings/raw/test_raw_aes.py index 72961c7d4..399bf588f 100644 --- a/test/unit/keyrings/raw/test_raw_aes.py +++ b/test/unit/keyrings/raw/test_raw_aes.py @@ -20,7 +20,7 @@ import aws_encryption_sdk.key_providers.raw import aws_encryption_sdk.keyrings.raw from aws_encryption_sdk.exceptions import EncryptKeyError -from aws_encryption_sdk.identifiers import Algorithm, KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import Algorithm, WrappingAlgorithm from aws_encryption_sdk.internal.crypto.wrapping_keys import WrappingKey from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.keyrings.raw import GenerateKeyError, RawAESKeyring, _generate_data_key @@ -32,8 +32,8 @@ _ENCRYPTED_DATA_KEY_AES, _ENCRYPTED_DATA_KEY_NOT_IN_KEYRING, _ENCRYPTION_CONTEXT, - _KEY_ID, - _PROVIDER_ID, + _KEY_NAME, + _KEY_NAMESPACE, _SIGNING_KEY, _WRAPPING_KEY, get_decryption_materials_with_data_encryption_key, @@ -47,7 +47,7 @@ @pytest.fixture def raw_aes_keyring(): - return RawAESKeyring(key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_key=_WRAPPING_KEY,) + return RawAESKeyring(key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_key=_WRAPPING_KEY,) @pytest.fixture @@ -80,8 +80,8 @@ def test_parent(): def test_valid_parameters(raw_aes_keyring): test = raw_aes_keyring - assert test.key_name == _KEY_ID - assert test.key_namespace == _PROVIDER_ID + assert test.key_name == _KEY_NAME + assert test.key_namespace == _KEY_NAMESPACE assert test._wrapping_algorithm == WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING assert test._wrapping_key == _WRAPPING_KEY @@ -89,11 +89,11 @@ def test_valid_parameters(raw_aes_keyring): @pytest.mark.parametrize( "key_namespace, key_name, wrapping_algorithm, wrapping_key", ( - (_PROVIDER_ID, None, WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, None), + (_KEY_NAMESPACE, None, WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, None), (None, None, None, None), ( - _PROVIDER_ID, - _KEY_ID, + _KEY_NAMESPACE, + _KEY_NAME, WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING, ), @@ -115,7 +115,7 @@ def test_invalid_parameters(key_namespace, key_name, wrapping_algorithm, wrappin def test_invalid_key_length(): with pytest.raises(ValueError) as excinfo: RawAESKeyring( - key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_key=b"012345", + key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_key=b"012345", ) excinfo.match(r"Invalid wrapping key length. Must be one of \[16, 24, 32\] bytes.") @@ -129,25 +129,6 @@ def test_on_encrypt_when_data_encryption_key_given(raw_aes_keyring, patch_genera assert not patch_generate_data_key.called -def test_keyring_trace_on_encrypt_when_data_encryption_key_given(raw_aes_keyring): - test_raw_aes_keyring = raw_aes_keyring - - test = test_raw_aes_keyring.on_encrypt(encryption_materials=get_encryption_materials_with_data_encryption_key()) - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 1 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 0 - - encrypt_traces = [ - entry - for entry in trace_entries - if entry.flags == {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT} - ] - assert len(encrypt_traces) == 1 - - def test_on_encrypt_when_data_encryption_key_not_given(raw_aes_keyring): test_raw_aes_keyring = raw_aes_keyring @@ -160,20 +141,6 @@ def test_on_encrypt_when_data_encryption_key_not_given(raw_aes_keyring): # Check if data key is generated assert test.data_encryption_key is not None - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 2 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 1 - - encrypt_traces = [ - entry - for entry in trace_entries - if entry.flags == {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT} - ] - assert len(encrypt_traces) == 1 - assert len(test.encrypted_data_keys) == original_number_of_encrypted_data_keys + 1 @@ -199,17 +166,6 @@ def test_on_decrypt_when_data_key_given(raw_aes_keyring, decryption_materials, e assert not patch_decrypt_on_wrapping_key.called -def test_on_decrypt_keyring_trace_when_data_key_given(raw_aes_keyring): - test_raw_aes_keyring = raw_aes_keyring - test = test_raw_aes_keyring.on_decrypt( - decryption_materials=get_decryption_materials_with_data_encryption_key(), - encrypted_data_keys=[_ENCRYPTED_DATA_KEY_AES], - ) - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 0 - - @pytest.mark.parametrize( "decryption_materials, edk", ( @@ -223,11 +179,8 @@ def test_on_decrypt_when_data_key_and_edk_not_provided( test_raw_aes_keyring = raw_aes_keyring test = test_raw_aes_keyring.on_decrypt(decryption_materials=decryption_materials, encrypted_data_keys=edk) - assert not patch_decrypt_on_wrapping_key.called - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 0 + assert not patch_decrypt_on_wrapping_key.called assert test.data_encryption_key is None @@ -243,25 +196,6 @@ def test_on_decrypt_when_data_key_not_provided_and_edk_provided(raw_aes_keyring, ) -def test_on_decrypt_keyring_trace_when_data_key_not_provided_and_edk_provided(raw_aes_keyring): - test_raw_aes_keyring = raw_aes_keyring - - test = test_raw_aes_keyring.on_decrypt( - decryption_materials=get_decryption_materials_without_data_encryption_key(), - encrypted_data_keys=[_ENCRYPTED_DATA_KEY_AES], - ) - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 1 - - decrypt_traces = [ - entry - for entry in trace_entries - if entry.flags == {KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT} - ] - assert len(decrypt_traces) == 1 - - def test_on_decrypt_continues_through_edks_on_failure(raw_aes_keyring, patch_decrypt_on_wrapping_key): patch_decrypt_on_wrapping_key.side_effect = (Exception("DECRYPT FAIL"), _DATA_KEY) @@ -279,7 +213,7 @@ def test_generate_data_key_error_when_data_key_not_generated(patch_os_urandom): with pytest.raises(GenerateKeyError) as exc_info: _generate_data_key( encryption_materials=get_encryption_materials_without_data_encryption_key(), - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_KEY_NAME), ) assert exc_info.match("Unable to generate data encryption key.") @@ -288,31 +222,24 @@ def test_generate_data_key_error_when_data_key_exists(): with pytest.raises(TypeError) as exc_info: _generate_data_key( encryption_materials=get_encryption_materials_with_data_encryption_key(), - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_KEY_NAME), ) assert exc_info.match("Data encryption key already exists.") -def test_generate_data_key_keyring_trace(): +def test_generate_data_key_provider_info(): encryption_materials_without_data_key = EncryptionMaterials( algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, ) - key_provider_info = MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID) + key_provider_info = MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_KEY_NAME) new_materials = _generate_data_key( encryption_materials=encryption_materials_without_data_key, key_provider=key_provider_info, ) assert new_materials is not encryption_materials_without_data_key assert encryption_materials_without_data_key.data_encryption_key is None - assert not encryption_materials_without_data_key.keyring_trace assert new_materials.data_encryption_key is not None assert new_materials.data_encryption_key.key_provider == key_provider_info - - trace_entries = [entry for entry in new_materials.keyring_trace if entry.wrapping_key == key_provider_info] - assert len(trace_entries) == 1 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 1 diff --git a/test/unit/keyrings/raw/test_raw_rsa.py b/test/unit/keyrings/raw/test_raw_rsa.py index 55b91de92..a9ea33e2b 100644 --- a/test/unit/keyrings/raw/test_raw_rsa.py +++ b/test/unit/keyrings/raw/test_raw_rsa.py @@ -20,7 +20,7 @@ import aws_encryption_sdk.key_providers.raw import aws_encryption_sdk.keyrings.raw from aws_encryption_sdk.exceptions import EncryptKeyError -from aws_encryption_sdk.identifiers import KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import WrappingAlgorithm from aws_encryption_sdk.internal.crypto.wrapping_keys import WrappingKey from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.keyrings.raw import RawRSAKeyring @@ -31,9 +31,9 @@ _ENCRYPTED_DATA_KEY_AES, _ENCRYPTED_DATA_KEY_RSA, _ENCRYPTION_CONTEXT, - _KEY_ID, + _KEY_NAME, + _KEY_NAMESPACE, _KEY_SIZE, - _PROVIDER_ID, _PUBLIC_EXPONENT, get_decryption_materials_with_data_encryption_key, get_decryption_materials_without_data_encryption_key, @@ -51,8 +51,8 @@ def raw_rsa_keyring(): data=VALUES["private_rsa_key_bytes"][1], password=None, backend=default_backend() ) return RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=private_key, public_wrapping_key=private_key.public_key(), @@ -87,8 +87,8 @@ def test_parent(): def test_valid_parameters(raw_rsa_keyring): test = raw_rsa_keyring - assert test.key_namespace == _PROVIDER_ID - assert test.key_name == _KEY_ID + assert test.key_namespace == _KEY_NAMESPACE + assert test.key_name == _KEY_NAME assert test._wrapping_algorithm == WrappingAlgorithm.RSA_OAEP_SHA256_MGF1 assert isinstance(test._private_wrapping_key, rsa.RSAPrivateKey) @@ -96,11 +96,17 @@ def test_valid_parameters(raw_rsa_keyring): @pytest.mark.parametrize( "key_namespace, key_name, wrapping_algorithm, private_wrapping_key, public_wrapping_key", ( - (_PROVIDER_ID, None, WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, raw_rsa_private_key(), None), + (_KEY_NAMESPACE, None, WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, raw_rsa_private_key(), None), (None, None, None, None, None), - (_PROVIDER_ID, _KEY_ID, WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, None), + ( + _KEY_NAMESPACE, + _KEY_NAME, + WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, + WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, + None, + ), (None, None, None, raw_rsa_private_key(), raw_rsa_private_key().public_key()), - (len(_PROVIDER_ID), len(_KEY_ID), _PROVIDER_ID, _PROVIDER_ID, _KEY_ID), + (len(_KEY_NAMESPACE), len(_KEY_NAME), _KEY_NAMESPACE, _KEY_NAMESPACE, _KEY_NAME), ), ) def test_invalid_parameters(key_namespace, key_name, wrapping_algorithm, private_wrapping_key, public_wrapping_key): @@ -125,8 +131,8 @@ def test_invalid_parameters(key_namespace, key_name, wrapping_algorithm, private def test_invalid_wrapping_algorithm_suite(wrapping_algorithm): with pytest.raises(ValueError): RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=wrapping_algorithm, private_wrapping_key=raw_rsa_private_key(), ) @@ -135,7 +141,7 @@ def test_invalid_wrapping_algorithm_suite(wrapping_algorithm): def test_public_and_private_key_not_provided(): with pytest.raises(TypeError) as exc_info: RawRSAKeyring( - key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1 + key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1 ) assert exc_info.match("At least one of public key or private key must be provided.") @@ -151,8 +157,8 @@ def test_on_encrypt_when_data_encryption_key_given(raw_rsa_keyring, patch_genera def test_on_encrypt_no_public_key(raw_rsa_keyring): private_key = raw_rsa_private_key() test_keyring = RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=private_key, ) @@ -165,21 +171,6 @@ def test_on_encrypt_no_public_key(raw_rsa_keyring): excinfo.match("A public key is required to encrypt") -def test_on_encrypt_keyring_trace_when_data_encryption_key_given(raw_rsa_keyring): - materials = get_encryption_materials_with_data_encryption_key() - test = raw_rsa_keyring.on_encrypt(encryption_materials=materials) - assert test is not materials - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 1 - - encrypt_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.ENCRYPTED_DATA_KEY}] - assert len(encrypt_traces) == 1 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 0 - - def test_on_encrypt_when_data_encryption_key_not_given(raw_rsa_keyring): test_raw_rsa_keyring = raw_rsa_keyring @@ -189,15 +180,6 @@ def test_on_encrypt_when_data_encryption_key_not_given(raw_rsa_keyring): test = test_raw_rsa_keyring.on_encrypt(encryption_materials=get_encryption_materials_without_data_encryption_key()) - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 2 - - encrypt_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.ENCRYPTED_DATA_KEY}] - assert len(encrypt_traces) == 1 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 1 - assert test.data_encryption_key.data_key is not None assert len(test.encrypted_data_keys) == original_number_of_encrypted_data_keys + 1 @@ -221,16 +203,6 @@ def test_on_decrypt_no_private_key(raw_rsa_keyring): assert test is materials -def test_on_decrypt_keyring_trace_when_data_key_given(raw_rsa_keyring): - test_raw_rsa_keyring = raw_rsa_keyring - test = test_raw_rsa_keyring.on_decrypt( - decryption_materials=get_decryption_materials_with_data_encryption_key(), - encrypted_data_keys=[_ENCRYPTED_DATA_KEY_RSA], - ) - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 0 - - def test_on_decrypt_when_data_key_and_edk_not_provided(raw_rsa_keyring, patch_decrypt_on_wrapping_key): test_raw_rsa_keyring = raw_rsa_keyring @@ -239,9 +211,6 @@ def test_on_decrypt_when_data_key_and_edk_not_provided(raw_rsa_keyring, patch_de ) assert not patch_decrypt_on_wrapping_key.called - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 0 - assert test.data_encryption_key is None @@ -267,9 +236,6 @@ def test_on_decrypt_when_data_key_not_provided_and_edk_not_in_keyring(raw_rsa_ke ) assert not patch_decrypt_on_wrapping_key.called - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert not trace_entries - assert test.data_encryption_key is None @@ -286,25 +252,6 @@ def test_on_decrypt_when_data_key_not_provided_and_edk_provided(raw_rsa_keyring, ) -def test_on_decrypt_keyring_trace_when_data_key_not_provided_and_edk_provided(raw_rsa_keyring): - test_raw_rsa_keyring = raw_rsa_keyring - - test = test_raw_rsa_keyring.on_decrypt( - decryption_materials=get_decryption_materials_without_data_encryption_key(), - encrypted_data_keys=test_raw_rsa_keyring.on_encrypt( - encryption_materials=get_encryption_materials_without_data_encryption_key() - ).encrypted_data_keys, - ) - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 1 - - decrypt_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.DECRYPTED_DATA_KEY}] - assert len(decrypt_traces) == 1 - - assert test.data_encryption_key is not None - - def test_on_decrypt_continues_through_edks_on_failure(raw_rsa_keyring, mocker): patched_wrapping_key_decrypt = mocker.patch.object(raw_rsa_keyring._private_wrapping_key, "decrypt") patched_wrapping_key_decrypt.side_effect = (Exception("DECRYPT FAIL"), _DATA_KEY) @@ -316,10 +263,4 @@ def test_on_decrypt_continues_through_edks_on_failure(raw_rsa_keyring, mocker): assert patched_wrapping_key_decrypt.call_count == 2 - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 1 - - decrypt_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.DECRYPTED_DATA_KEY}] - assert len(decrypt_traces) == 1 - assert test.data_encryption_key.data_key == _DATA_KEY diff --git a/test/unit/keyrings/test_multi.py b/test/unit/keyrings/test_multi.py index 97948ef63..acd8badfb 100644 --- a/test/unit/keyrings/test_multi.py +++ b/test/unit/keyrings/test_multi.py @@ -40,8 +40,8 @@ _ENCRYPTION_CONTEXT = {"encryption": "context", "values": "here"} -_PROVIDER_ID = "Random Raw Keys" -_KEY_ID = b"5325b043-5843-4629-869c-64794af77ada" +_KEY_NAMESPACE = "Random Raw Keys" +_KEY_NAME = "5325b043-5843-4629-869c-64794af77ada" _WRAPPING_KEY_AES = b"\xeby-\x80A6\x15rA8\x83#,\xe4\xab\xac`\xaf\x99Z\xc1\xce\xdb\xb6\x0f\xb7\x805\xb2\x14J3" _SIGNING_KEY = b"aws-crypto-public-key" @@ -96,14 +96,16 @@ def test_parent(): def test_keyring_with_generator_but_no_children(): - generator_keyring = RawAESKeyring(key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_key=_WRAPPING_KEY_AES,) + generator_keyring = RawAESKeyring(key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_key=_WRAPPING_KEY_AES,) test_multi_keyring = MultiKeyring(generator=generator_keyring) assert test_multi_keyring.generator is generator_keyring assert not test_multi_keyring.children def test_keyring_with_children_but_no_generator(): - children_keyring = [RawAESKeyring(key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_key=_WRAPPING_KEY_AES,)] + children_keyring = [ + RawAESKeyring(key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_key=_WRAPPING_KEY_AES,) + ] test_multi_keyring = MultiKeyring(children=children_keyring) assert test_multi_keyring.children is children_keyring assert test_multi_keyring.generator is None diff --git a/test/unit/materials_managers/test_material_managers.py b/test/unit/materials_managers/test_material_managers.py index 62314298e..9223e42bf 100644 --- a/test/unit/materials_managers/test_material_managers.py +++ b/test/unit/materials_managers/test_material_managers.py @@ -17,8 +17,8 @@ from cryptography.hazmat.primitives.asymmetric import ec from mock import MagicMock -from aws_encryption_sdk.exceptions import InvalidDataKeyError, InvalidKeyringTraceError, SignatureKeyError -from aws_encryption_sdk.identifiers import AlgorithmSuite, KeyringTraceFlag +from aws_encryption_sdk.exceptions import InvalidDataKeyError, SignatureKeyError +from aws_encryption_sdk.identifiers import AlgorithmSuite from aws_encryption_sdk.internal.crypto.authentication import Signer, Verifier from aws_encryption_sdk.internal.defaults import ALGORITHM from aws_encryption_sdk.internal.utils.streams import ROStream @@ -30,7 +30,7 @@ EncryptionMaterialsRequest, _data_key_to_raw_data_key, ) -from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, MasterKeyInfo, RawDataKey pytestmark = [pytest.mark.unit, pytest.mark.local] @@ -47,15 +47,7 @@ _VALID_KWARGS = { "CryptographicMaterials": dict( - algorithm=ALGORITHM, - encryption_context={"additional": "data"}, - data_encryption_key=_DATA_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id="Provider", key_info=b"Info"), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], + algorithm=ALGORITHM, encryption_context={"additional": "data"}, data_encryption_key=_DATA_KEY, ), "EncryptionMaterialsRequest": dict( encryption_context={}, @@ -95,7 +87,6 @@ def _copy_and_update_kwargs(class_name, mod_kwargs): (CryptographicMaterials, dict(encryption_context=1234)), (CryptographicMaterials, dict(data_encryption_key=1234)), (CryptographicMaterials, dict(encrypted_data_keys=1234)), - (CryptographicMaterials, dict(keyring_trace=1234)), (EncryptionMaterialsRequest, dict(encryption_context=None)), (EncryptionMaterialsRequest, dict(frame_length="not an int")), (EncryptionMaterialsRequest, dict(algorithm="not an Algorithm or None")), @@ -184,8 +175,6 @@ def _cryptographic_materials_attributes(): "algorithm", "encryption_context", "data_encryption_key", - "_keyring_trace", - "keyring_trace", "_initialized", ): yield material, attribute @@ -207,24 +196,6 @@ def test_cryptographic_materials_cannot_change_attribute(material_class, attribu excinfo.match("can't set attribute") -@pytest.mark.parametrize("material_class", (CryptographicMaterials, EncryptionMaterials, DecryptionMaterials)) -def test_immutable_keyring_trace(material_class): - materials = material_class(**_VALID_KWARGS[material_class.__name__]) - - with pytest.raises(AttributeError): - materials.keyring_trace.append(42) - - -@pytest.mark.parametrize("material_class", (CryptographicMaterials, EncryptionMaterials, DecryptionMaterials)) -def test_empty_keyring_trace(material_class): - materials = material_class(**_copy_and_update_kwargs(material_class.__name__, dict(keyring_trace=_REMOVE))) - - trace = materials.keyring_trace - - assert isinstance(trace, tuple) - assert not trace - - def test_immutable_encrypted_data_keys(): materials = EncryptionMaterials(**_VALID_KWARGS["EncryptionMaterials"]) @@ -242,13 +213,9 @@ def test_empty_encrypted_data_keys(): @pytest.mark.parametrize( - "material_class, flag", - ( - (EncryptionMaterials, KeyringTraceFlag.GENERATED_DATA_KEY), - (DecryptionMaterials, KeyringTraceFlag.DECRYPTED_DATA_KEY), - ), + "material_class", ((EncryptionMaterials), (DecryptionMaterials),), ) -def test_with_data_encryption_key_success(material_class, flag): +def test_with_data_encryption_key_success(material_class): kwargs = _copy_and_update_kwargs( material_class.__name__, dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE) ) @@ -258,45 +225,23 @@ def test_with_data_encryption_key_success(material_class, flag): data_encryption_key=RawDataKey( key_provider=MasterKeyInfo(provider_id="a", key_info=b"b"), data_key=b"1" * ALGORITHM.kdf_input_len ), - keyring_trace=KeyringTrace(wrapping_key=MasterKeyInfo(provider_id="a", key_info=b"b"), flags={flag}), ) assert new_materials is not materials def _add_data_encryption_key_test_cases(): - for material_class, required_flags in ( - (EncryptionMaterials, KeyringTraceFlag.GENERATED_DATA_KEY), - (DecryptionMaterials, KeyringTraceFlag.DECRYPTED_DATA_KEY), - ): + for material_class in (EncryptionMaterials, DecryptionMaterials): yield ( material_class, dict(data_encryption_key=_RAW_DATA_KEY, data_key=_REMOVE, encrypted_data_keys=_REMOVE), _RAW_DATA_KEY, - KeyringTrace(wrapping_key=_RAW_DATA_KEY.key_provider, flags={required_flags}), AttributeError, "Data encryption key is already set.", ) - yield ( - material_class, - dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE), - _RAW_DATA_KEY, - KeyringTrace(wrapping_key=_RAW_DATA_KEY.key_provider, flags=set()), - InvalidKeyringTraceError, - "Keyring flags do not match action.", - ) - yield ( - material_class, - dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE), - RawDataKey(key_provider=MasterKeyInfo(provider_id="a", key_info=b"b"), data_key=b"asdf"), - KeyringTrace(wrapping_key=MasterKeyInfo(provider_id="c", key_info=b"d"), flags={required_flags}), - InvalidKeyringTraceError, - "Keyring trace does not match data key provider.", - ) yield ( material_class, dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE), RawDataKey(key_provider=_RAW_DATA_KEY.key_provider, data_key=b"1234"), - KeyringTrace(wrapping_key=_RAW_DATA_KEY.key_provider, flags={required_flags}), InvalidDataKeyError, r"Invalid data key length *", ) @@ -304,24 +249,23 @@ def _add_data_encryption_key_test_cases(): DecryptionMaterials, dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE, algorithm=_REMOVE), RawDataKey(key_provider=_RAW_DATA_KEY.key_provider, data_key=b"1234"), - KeyringTrace(wrapping_key=_RAW_DATA_KEY.key_provider, flags={required_flags}), AttributeError, "Algorithm is not set", ) @pytest.mark.parametrize( - "material_class, mod_kwargs, data_encryption_key, keyring_trace, exception_type, exception_message", + "material_class, mod_kwargs, data_encryption_key, exception_type, exception_message", _add_data_encryption_key_test_cases(), ) def test_with_data_encryption_key_fail( - material_class, mod_kwargs, data_encryption_key, keyring_trace, exception_type, exception_message + material_class, mod_kwargs, data_encryption_key, exception_type, exception_message ): kwargs = _copy_and_update_kwargs(material_class.__name__, mod_kwargs) materials = material_class(**kwargs) with pytest.raises(exception_type) as excinfo: - materials.with_data_encryption_key(data_encryption_key=data_encryption_key, keyring_trace=keyring_trace) + materials.with_data_encryption_key(data_encryption_key=data_encryption_key) excinfo.match(exception_message) @@ -330,50 +274,27 @@ def test_with_encrypted_data_key_success(): kwargs = _copy_and_update_kwargs("EncryptionMaterials", {}) materials = EncryptionMaterials(**kwargs) - new_materials = materials.with_encrypted_data_key( - _ENCRYPTED_DATA_KEY, - keyring_trace=KeyringTrace( - wrapping_key=_ENCRYPTED_DATA_KEY.key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY} - ), - ) + new_materials = materials.with_encrypted_data_key(_ENCRYPTED_DATA_KEY) assert new_materials is not materials @pytest.mark.parametrize( - "mod_kwargs, encrypted_data_key, keyring_trace, exception_type, exception_message", + "mod_kwargs, encrypted_data_key, exception_type, exception_message", ( - ( - {}, - _ENCRYPTED_DATA_KEY, - KeyringTrace(wrapping_key=_ENCRYPTED_DATA_KEY.key_provider, flags=set()), - InvalidKeyringTraceError, - "Keyring flags do not match action.", - ), - ( - {}, - EncryptedDataKey(key_provider=MasterKeyInfo(provider_id="a", key_info=b"b"), encrypted_data_key=b"asdf"), - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id="not a match", key_info=b"really not a match"), - flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ), - InvalidKeyringTraceError, - "Keyring trace does not match data key encryptor.", - ), ( dict(data_encryption_key=_REMOVE, encrypted_data_keys=_REMOVE), _ENCRYPTED_DATA_KEY, - KeyringTrace(wrapping_key=_ENCRYPTED_DATA_KEY.key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}), AttributeError, "Data encryption key is not set.", ), ), ) -def test_with_encrypted_data_key_fail(mod_kwargs, encrypted_data_key, keyring_trace, exception_type, exception_message): +def test_with_encrypted_data_key_fail(mod_kwargs, encrypted_data_key, exception_type, exception_message): kwargs = _copy_and_update_kwargs("EncryptionMaterials", mod_kwargs) materials = EncryptionMaterials(**kwargs) with pytest.raises(exception_type) as excinfo: - materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key, keyring_trace=keyring_trace) + materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key) excinfo.match(exception_message) diff --git a/test/unit/test_structures.py b/test/unit/test_structures.py index 26cef17ec..16eb142b0 100644 --- a/test/unit/test_structures.py +++ b/test/unit/test_structures.py @@ -13,12 +13,11 @@ """Unit test suite for aws_encryption_sdk.structures""" import pytest -from aws_encryption_sdk.identifiers import Algorithm, ContentType, KeyringTraceFlag, ObjectType, SerializationVersion +from aws_encryption_sdk.identifiers import Algorithm, ContentType, ObjectType, SerializationVersion from aws_encryption_sdk.structures import ( CryptoResult, DataKey, EncryptedDataKey, - KeyringTrace, MasterKeyInfo, MessageHeader, RawDataKey, @@ -65,11 +64,6 @@ key_provider=MasterKeyInfo(provider_id="asjnoa", key_info=b"aosjfoaiwej"), encrypted_data_key=b"aisofiawjef" ) ], - KeyringTrace: [ - dict( - wrapping_key=MasterKeyInfo(provider_id="foo", key_info=b"bar"), flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ) - ], CryptoResult: [ dict( result=b"super secret stuff", @@ -85,12 +79,6 @@ header_iv_length=32456, frame_length=234567, ), - keyring_trace=( - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id="foo", key_info=b"bar"), - flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ), - ), ) ], } diff --git a/test/unit/unit_test_utils.py b/test/unit/unit_test_utils.py index bd6a9a82f..f97a75940 100644 --- a/test/unit/unit_test_utils.py +++ b/test/unit/unit_test_utils.py @@ -14,7 +14,7 @@ from cryptography.hazmat.primitives.asymmetric import rsa from aws_encryption_sdk.exceptions import DecryptKeyError -from aws_encryption_sdk.identifiers import AlgorithmSuite, EncryptionKeyType, KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import AlgorithmSuite, EncryptionKeyType, WrappingAlgorithm from aws_encryption_sdk.internal.crypto.wrapping_keys import WrappingKey from aws_encryption_sdk.internal.utils.streams import InsistentReaderBytesIO from aws_encryption_sdk.key_providers.base import MasterKeyProvider, MasterKeyProviderConfig @@ -23,7 +23,7 @@ from aws_encryption_sdk.keyrings.multi import MultiKeyring from aws_encryption_sdk.keyrings.raw import RawAESKeyring, RawRSAKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Dict, Iterable, Optional # noqa pylint: disable=unused-import @@ -32,9 +32,9 @@ pass _ENCRYPTION_CONTEXT = {"encryption": "context", "values": "here"} -_PROVIDER_ID = "Random Raw Keys" -_EXISTING_KEY_ID = b"pre-seeded key id" -_KEY_ID = b"5325b043-5843-4629-869c-64794af77ada" +_KEY_NAMESPACE = "Random Raw Keys" +_EXISTING_KEY_NAME = "pre-seeded key id" +_KEY_NAME = "5325b043-5843-4629-869c-64794af77ada" _WRAPPING_KEY = b"\xeby-\x80A6\x15rA8\x83#,\xe4\xab\xac`\xaf\x99Z\xc1\xce\xdb\xb6\x0f\xb7\x805\xb2\x14J3" _SIGNING_KEY = b"aws-crypto-public-key" _DATA_KEY = ( @@ -73,7 +73,7 @@ ) _ENCRYPTED_DATA_KEY_RSA = EncryptedDataKey( - key_provider=MasterKeyInfo(provider_id="Random Raw Keys", key_info=_KEY_ID), + key_provider=MasterKeyInfo(provider_id="Random Raw Keys", key_info=_KEY_NAME), encrypted_data_key=b"\xf3+\x15n\xe6`\xbe\xfe\xf0\x9e1\xe5\x9b" b"\xaf\xfe\xdaT\xbb\x17\x14\xfd} o\xdd\xf1" b"\xbc\xe1C\xa5J\xd8\xc7\x15\xc2\x90t=\xb9" @@ -95,13 +95,12 @@ class OnlyGenerateKeyring(Keyring): def on_encrypt(self, encryption_materials): # type: (EncryptionMaterials) -> EncryptionMaterials if encryption_materials.data_encryption_key is None: - key_provider = MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID) + key_provider = MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_KEY_NAME) data_encryption_key = RawDataKey( key_provider=key_provider, data_key=os.urandom(encryption_materials.algorithm.kdf_input_len) ) encryption_materials = encryption_materials.with_data_encryption_key( data_encryption_key=data_encryption_key, - keyring_trace=KeyringTrace(wrapping_key=key_provider, flags={KeyringTraceFlag.GENERATED_DATA_KEY}), ) return encryption_materials @@ -114,17 +113,11 @@ def get_encryption_materials_with_data_key(): return EncryptionMaterials( algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_EXISTING_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ) @@ -132,17 +125,11 @@ def get_encryption_materials_with_data_encryption_key(): return EncryptionMaterials( algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_EXISTING_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ) @@ -158,24 +145,18 @@ def get_encryption_materials_with_encrypted_data_key(): return EncryptionMaterials( algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_EXISTING_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encrypted_data_keys=[ EncryptedDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_EXISTING_KEY_NAME), encrypted_data_key=b"\xde^\x97\x7f\x84\xe9\x9e\x98\xd0\xe2\xf8\xd5\xcb\xe9\x7f.}\x87\x16,\x11n#\xc8p" b"\xdb\xbf\x94\x86*Q\x06\xd2\xf5\xdah\x08\xa4p\x81\xf7\xf4G\x07FzE\xde", ) ], encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY, KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ) - ], ) @@ -183,18 +164,12 @@ def get_encryption_materials_with_encrypted_data_key_aes(): return EncryptionMaterials( algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_EXISTING_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encrypted_data_keys=[_ENCRYPTED_DATA_KEY_AES], encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY, KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ) - ], ) @@ -218,17 +193,11 @@ def get_decryption_materials_with_data_key(): return DecryptionMaterials( algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_EXISTING_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, verification_key=b"ex_verification_key", - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.DECRYPTED_DATA_KEY}, - ) - ], ) @@ -236,17 +205,11 @@ def get_decryption_materials_with_data_encryption_key(): return DecryptionMaterials( algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, data_encryption_key=RawDataKey( - key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), + key_provider=MasterKeyInfo(provider_id=_KEY_NAMESPACE, key_info=_EXISTING_KEY_NAME), data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, verification_key=b"ex_verification_key", - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.DECRYPTED_DATA_KEY}, - ) - ], ) @@ -257,18 +220,18 @@ def get_decryption_materials_without_data_key(): def get_multi_keyring_with_generator_and_children(): private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) return MultiKeyring( - generator=RawAESKeyring(key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_key=_WRAPPING_KEY_AES,), + generator=RawAESKeyring(key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_key=_WRAPPING_KEY_AES,), children=[ RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=private_key, public_wrapping_key=private_key.public_key(), ), RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=private_key, public_wrapping_key=private_key.public_key(), @@ -281,8 +244,8 @@ def get_multi_keyring_with_no_children(): private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) return MultiKeyring( generator=RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=private_key, public_wrapping_key=private_key.public_key(), @@ -295,13 +258,13 @@ def get_multi_keyring_with_no_generator(): return MultiKeyring( children=[ RawRSAKeyring( - key_namespace=_PROVIDER_ID, - key_name=_KEY_ID, + key_namespace=_KEY_NAMESPACE, + key_name=_KEY_NAME, wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1, private_wrapping_key=private_key, public_wrapping_key=private_key.public_key(), ), - RawAESKeyring(key_namespace=_PROVIDER_ID, key_name=_KEY_ID, wrapping_key=_WRAPPING_KEY_AES,), + RawAESKeyring(key_namespace=_KEY_NAMESPACE, key_name=_KEY_NAME, wrapping_key=_WRAPPING_KEY_AES,), ] ) @@ -412,7 +375,7 @@ def ephemeral_raw_rsa_keyring(size=4096, wrapping_algorithm=WrappingAlgorithm.RS private_key = rsa.generate_private_key(public_exponent=65537, key_size=size, backend=default_backend()) return RawRSAKeyring( key_namespace="fake", - key_name="rsa-{}".format(size).encode("utf-8"), + key_name="rsa-{}".format(size), wrapping_algorithm=wrapping_algorithm, private_wrapping_key=private_key, public_wrapping_key=private_key.public_key(), @@ -471,9 +434,7 @@ def ephemeral_raw_aes_keyring(wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_I key_length = wrapping_algorithm.algorithm.data_key_len if key is None: key = os.urandom(key_length) - return RawAESKeyring( - key_namespace="fake", key_name="aes-{}".format(key_length * 8).encode("utf-8"), wrapping_key=key, - ) + return RawAESKeyring(key_namespace="fake", key_name="aes-{}".format(key_length * 8), wrapping_key=key,) class EphemeralRawMasterKeyProvider(RawMasterKeyProvider): @@ -587,7 +548,6 @@ def _break_encryption_materials(self, encryption_materials): encrypted_data_keys=encryption_materials.encrypted_data_keys, encryption_context=self._broken_encryption_context(encryption_materials.encryption_context), signing_key=self._broken_key(encryption_materials.signing_key), - keyring_trace=encryption_materials.keyring_trace, ) def _break_decryption_materials(self, decryption_materials): @@ -597,7 +557,6 @@ def _break_decryption_materials(self, decryption_materials): data_encryption_key=decryption_materials.data_encryption_key, encryption_context=self._broken_encryption_context(decryption_materials.encryption_context), verification_key=self._broken_key(decryption_materials.verification_key), - keyring_trace=decryption_materials.keyring_trace, ) def on_encrypt(self, encryption_materials): @@ -625,7 +584,6 @@ def on_encrypt(self, encryption_materials): data_encryption_key=materials.data_encryption_key, encryption_context=materials.encryption_context, signing_key=materials.signing_key, - keyring_trace=materials.keyring_trace, ) def on_decrypt(self, decryption_materials, encrypted_data_keys): diff --git a/test_vector_handlers/src/pylintrc b/test_vector_handlers/src/pylintrc index 2fba3ddfa..ebd2eb02e 100644 --- a/test_vector_handlers/src/pylintrc +++ b/test_vector_handlers/src/pylintrc @@ -3,8 +3,11 @@ disable = bad-continuation, # we let black handle this ungrouped-imports, # we let isort handle this - useless-object-inheritance, # we need to support Python 2, so no, not useless duplicate-code, # the manifest handlers have a lot of similar code + # All below are disabled because we need to support Python 2 + useless-object-inheritance, + raise-missing-from, + super-with-arguments, [FORMAT] max-line-length = 120 diff --git a/test_vector_handlers/test/pylintrc b/test_vector_handlers/test/pylintrc index 794e2039f..5aa03d3ae 100644 --- a/test_vector_handlers/test/pylintrc +++ b/test_vector_handlers/test/pylintrc @@ -5,9 +5,12 @@ disable = missing-docstring, # we don't write docstrings for tests bad-continuation, # we let black handle this ungrouped-imports, # we let isort handle this - useless-object-inheritance, # we need to support Python 2, so no, not useless duplicate-code, # unit tests for similar things tend to be similar redefined-outer-name, # raised when using decorators + # All below are disabled because we need to support Python 2 + useless-object-inheritance, + raise-missing-from, + super-with-arguments, [FORMAT] max-line-length = 120